On November 20, 2018, Yoast released a security update to address a vulnerability. This update was not announced on the Yoast blog. The vulnerability only affects users who have the SEO Manager role enabled and does not impact all users of Yoast SEO.
Nevertheless, 77% of Yoast users have not upgraded to version 9.2 and may be unaware of the vulnerability.
This article seeks to help users by making them aware that the vulnerability exists and to responsibly encourage them to upgrade.
Nuance About the Yoast Vulnerability
A security expert discovered the vulnerability, a type known as a "Race Condition," and alerted Yoast and the security community. Yoast took immediate action to fix the vulnerability.
The vulnerability was a complicated issue called a race condition vulnerability. It occurs when software expects operations to happen in a certain sequence, but if that sequence is changed, it opens up an opportunity for an attack.
TechTarget defines a Race Condition as:
“A race condition is an undesirable situation that occurs when a device or system attempts to perform two or more operations simultaneously, but because of the nature of the device or system, the operations must be done in the proper sequence to be done correctly.”
How Does the Yoast Vulnerability Affect Websites?
The Yoast 9.1 vulnerability requires that a website have the Yoast SEO Manager role enabled. This is why this vulnerability does not affect all users.
Which Versions of Yoast Does this Affect?
It is reported that Yoast version 9.1 and earlier versions with the SEO Manager role are affected. The security researcher who discovered the vulnerability said:
“I tested with Yoast 9.1 and 9.0.3.”
How Does the Yoast 9.1 Vulnerability Work?
I asked the security researcher how the vulnerability worked, and he explained that the attacker can target Yoast installations with the SEO Manager role enabled to perform code execution exploits.
Here is what he said:
“The thing with the SEO Manager is that this role is not able to install plugins, themes, etc., on WordPress; however, the attacker can perform command execution.”
The goal of command execution is to make undesirable changes to the website.
Does this Affect Sites without the SEO Manager Role Enabled?
I asked the security researcher if sites with the SEO Manager role not enabled were vulnerable. He advised that the likelihood of being hacked is remote if the role is not enabled. The risk increases if the SEO Manager role is enabled.
“If you do not have SEO Manager, and the zip archive can be uploaded only by a WordPress administrator, the impact is very low.”
Are Race Vulnerabilities Common?
I asked the security researcher if this vulnerability is preventable. He answered:
“I would say that many developers are not aware of race condition issues.”
What if You Don’t Have SEO Manager Role Enabled?
In general, it’s good practice to update to the latest version of your plugins. Security is often only an issue after it has become a problem, resulting in potential web traffic loss. Why become an object lesson to your competitors?
If you are using Yoast SEO 9.1 or earlier, it is advisable to update it. Keeping plugins updated is a security best practice.
More Resources
- Study Shows Web Security Directly Affects SEO
- SEO & Cybersecurity: How the SEO Industry Views the Relationship
- Yoast SEO Plugin 7.0 Bug Causes Ranking Drops
Images by Shutterstock, Modified by Author
Screenshots by Author, Modified by Author
