Yoast SEO Premium 27.6.1 is now available. This release contains a security fix affecting the Redirect Manager in Yoast SEO Premium. The good news: The vast majority of users are not affected. If you are a Yoast SEO Premium, Yoast WooCommerce SEO or Yoast SEO AI+ customer, please read on.
Are you affected?
The vast majority of customers are not affected. Your website is only potentially at risk if all three of the following statements are true:
- They use a plan that includes the Yoast SEO Premium plugin. These include Yoast SEO Premium, Yoast WooCommerce SEO and Yoast SEO AI+
- Your server is running Apache and you have manually changed your redirection method to write to .htaccess. If you use the standard PHP-based redirects, you will not be affected
- A user who has access to your site with the edit_posts feature. Without this, the vulnerability cannot be exploited, even if the other conditions are met
What was the problem?
An authenticated user could inject unexpected configurations into a site’s .htaccess file by inserting special characters into a redirect. Depending on what was injected, this could range from crashing the website to executing code remotely.
We checked a selection of websites that use the affected configuration and found no evidence of exploitation. There are no known cases of abuse.
What is fixed?
The patch includes three levels of protection:
- Input sanitization: Control characters are now removed from redirection fields before they are saved
- Unused code removed: The specific endpoint affected by the vulnerability has been removed because it was no longer used by the plugin anyway
- Warning in the plugin: We’ve added a proactive notification that notifies you if something unusual is detected in your redirects or .htaccess file, so you can quickly check and act without having to search for it
What you should do
Please update to 27.6.1 from the WordPress plugin screen. Your administrator can do this in less than two minutes.
If you meet all three conditions above, we recommend you update as soon as possible. If this is not the case, the security update will not apply to your setup, but it is always a good practice to keep your plugins up to date and 27.6.1 is the version we recommend to everyone.
If you are unsure whether you are affected, check your forwarding settings directly at (www.yoursite.com)/wp-admin/admin.php?page=wpseo_redirects#/redirect-method, If .htaccess mode is not enabled, you are at no risk.
A comprehensive safety advisory will be published shortly. In the meantime, if you have any questions or concerns, our support team is here to help.
Thank you for your continued trust in Yoast.
