Yoast SEO 9.1 vulnerability explanation

On November 20, 2018, Yoast released a security update to fix the vulnerability. This update was not posted on the Yoast blog. This vulnerability only affects users who have the SEO Manager role enabled. It does not affect all users of Yoast SEO.

Despite this, 77% of Yoast users have not upgraded to version 9.2 and may not be aware of the vulnerability.

77% of Yoast users may be vulnerable to the Yoast 9.1 hacking vulnerability. This is a screenshot of the official WordPress page from the Yoast SEO plugin.
This article is intended to help users understand the existence of vulnerabilities and to encourage them to upgrade responsibly.

Nuance about the Yoast vulnerability
A security expert discovered the vulnerability (called a race condition) and issued a warning to Yoast and the security community. Yoast took immediate action and immediately fixed the vulnerability.

The vulnerability is a complex issue called a race condition vulnerability.

It is basically what happens when the software expects the operation to occur within a particular sequence. This vulnerability occurs when the sequence is changed. This leads to the possibility of an open attack.

TechTarget defines a race condition like this:

“Competition conditions are the unfavorable conditions that occur when a device or system attempts to perform two or more operations at the same time, but due to the nature of the device or system, the operations must be performed in the correct order. ”

How does the Yoast vulnerability affect the website?
The Yoast 9.1 vulnerability requires the site to enable the Yoast SEO Manager role. This is why this vulnerability does not affect all users.

Which version of Yoast will affect this?
According to reports, Yoast version 9.1 and its role as an SEO manager are affected. The security researcher who discovered the vulnerability is called:

“ I tested with Yoast 9.1 and 9.0.3. ”

How does the Yoast 9.1 vulnerability work?
I asked the security researcher how the vulnerability worked. He said that an attacker could locate the Yoast installation with the SEO Manager role enabled and then execute a code execution vulnerability.

This is what he said:

“The thing for the SEO manager is that this role cannot install plugins, themes, etc. on WordPress, but the attacker can execute the command. ”

The goal of command execution is to make unnecessary changes to the site.

Does this affect sites that do not have the SEO Manager role enabled?
I asked the security researcher if a website that does not have the SEO administrator role is vulnerable. He suggested that if the role is not enabled, it is unlikely to be hacked. If the SEO Manager role is enabled, the likelihood will increase.

“ If you don’t have an SEO manager and can only upload zip archives by WordPress administrators, the impact is very low. ”

Is ethnic vulnerability common?
I asked the security researcher if this is a preventable vulnerability. He replied:

“I would say that many developers don’t know the conditions of competition. ”

What if you don’t have the SEO Manager role enabled?
In general, it is a good practice to update to the latest version of the plugin. Security never becomes a problem until it goes wrong and network traffic crashes. Why become an object course for competitors?

If you are using Yoast SEO 9.1 or earlier, it may be a good idea to update it. Keeping plugin updates is a security best practice.

More ResourcesStudy shows that Web security directly affects SEOSEO & Network Security: How does the SEO industry view the RelationshipYoast SEO plugin 7.0 Bug leads to a decline in rankings