Login

Tag Archives: Yoast SEO

Plugin Security Scorecard Grade for Yoast SEO

Checked on January 30, 2025
C+

See issues causing the plugin to get less than A+ grade

28 Aug 2024

WordPress Plugins Failing to Properly Uninstall Leads to Sensitive Information Being Left Behind

We recently completed a security review of a WordPress plugin we were planning to use on our website. We ended up not using the plugin because of an issue unrelated to the security review. While working on the security review, we ran into an issue that hasn’t been checked for as a part of our security reviews, but in hindsight, is something that should be checked on. It turns out that it is an issue that impacts many WordPress plugins, including a couple of plugins with 10+ million installs.

We will be releasing the results of the review once the developer has had a chance to respond to the issues we found. So without getting in to the specifics of the issue in the plugin, what we found was that the plugin stores sensitive information as WordPress options (settings) and doesn’t remove it when the plugin is uninstalled. The sensitive information are credentials for an API. Not only is that a security issue, it goes against the “basics” of how WordPress plugins are supposed to operate. The Uninstall Methods section of the Plugin Handbook states that “When your plugin is uninstalled, you’ll want to clear out any plugin options and/or settings specific to the plugin, and/or other database entities such as tables.” It also defines when plugin is uninstalled: “A plugin is considered uninstalled if a user has deactivated the plugin, and then clicks the delete link within the WordPress Admin.” [Read more]

3 Jul 2023

Yoast SEO Founders Fund Collaboration Platform That Opens WordPress Websites to Having All Their Users Deleted

One of the most unsavory elements of the WordPress community is all the people that promote themselves as being community focused while seeming to be much more interested in how they can sell off what they provide to the highest bidder, leaving their users and customers holding the bag. There is nothing wrong about running a business, but claiming that you are about the community and then selling yourself to someone that is known to be engaged in shady business practices, like the Orweillian-named Awesome Motive. At the same time, a well-funded developer could potentially provide better solutions. One area were things are in need of significant improvement is security. Unfortunately, based on a plugin we recently ran across a serious vulnerability in, it doesn’t appear that funders in the WordPress space care about security. The plugin comes from Atarim, which touted being funded by investors with a WordPress background  in September:

Even though Atarim’s visual collaboration tools are now available for any website, WordPress has been our home from day 1, and having such an inspiring group of investors, each with their own success stories in the WP space, we’re going to continue supporting and championing the community. Now, in even more ways than we could before. [Read more]

6 Mar 2023

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place. [Read more]

2 Mar 2023

Latest Yoast SEO Version Fixes Vulnerability Recently Fixed in All in One SEO

Earlier today, one of our monitoring systems alerted us that one of the WordPress plugins used our customers had possibly had a security fix released, as the changelog entry for the latest version of the Yoast SEO is:

Fixes a security issue in the post editor. [Read more]

1 Dec 2017

What Happened With WordPress Plugin Vulnerabilities in November 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during November (and what you have been missing out on if you haven’t signed up yet): [Read more]

1 Aug 2016

False Vulnerability Report: Self XSS Vulnerability in Yoast SEO 3.3.2

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.

If you are going to promote your “web application security scanner” as being “False positive free” as Netsparker does, it would probably be a good not to release advisories for vulnerabilities that don’t actually exist, using data from that tool. But that is what Netsparker did with several recent advisories for WordPress plugins, including a claim of a self XSS vulnerability in Yoast SEO. [Read more]

11 May 2016

Information Disclosure Vulnerability in Yoast SEO

Recently the security company Wordfence released an advisory for the Yoast SEO plugin for what seems to be a rather minor issue. Logged in users could access several functions of Yoast SEO that they were not normally intended to have access to, including exporting the plugin’s settings. While reviewing that to include in to our service’s data we noticed that the related to this there was also a problem with cross-site request forgery (CSRF) protection in the export function of the plugin.

The fact the plugin now restricts the export function to Administrator level users (by restricting it to user who can manage_options) and there was supposed to be CSRF protection for it would indicate the result of that export should not be available to public. Though in normal circumstances it doesn’t look like sensitive data so the publics access to it seems to not to be a major issue at this point, but that could change, so making sure it is not easily accessible to the public seems like a good idea. Currently that isn’t the case. [Read more]

11 May 2016

Cross-site Request Forgery (CSRF) Vulnerability in Yoast SEO

One of things we think highlights the poor security of WordPress plugins is how often reviewing a report of a vulnerability points to other security issues in a plugin. Recently the security company Wordfence released an advisory for the Yoast SEO plugin for what seems to be a rather minor issue. Logged in users could access several functions of Yoast SEO that they were not normally intended to have access to, including exporting the plugin’s settings.

Since Wordfence had not included a proof of concept that we could use to verify the vulnerability and determine what versions were vulnerable, we needed to create that ourselves. To do that we started by looking at the changes made in version of the plugin that was suppose to have fixed the issue, 3.2.5. The only relevant changes we could find were these: [Read more]