One of our security researchers, Panagiotis Vagenas, discovered a vulnerability in Yoast SEO version 3.2.4and earlier that allows any user with ‘subscriber’ level access to download your Yoast SEO settings. For sites that have open registration, this means that anyone can register and download your Yoast SEO settings by simply creating an account and running the exploit.

We reported this vulnerability to Yoast Tuesday May 3rd and their team has released a fix today, Friday May 6th. We recommend that you upgrade immediately if you are using Yoast SEO. This vulnerability is fixed in Yoast SEO version 3.2.5.

You have been protected against this vulnerability being exploited from the moment we notified the plugin author which was on Tuesday. We released a firewall rule via the Threat Defense Feed on Tuesday that is already protecting your site. This is per our standard disclosure procedure. See below for details.

Details of the Vulnerability
Yoast SEO plugin has a Sensitive Data Exposure vulnerability. Plugin registers the following AJAX actions:

wpseo_export
get_focus_keyword_usage
get_term_keyword_usage

These actions are privileged therefore are available only to registered users, but no special capabilities are required to perform them. Any user with a valid account to the target website can exploit those actions to get information about Yoast SEO settings and post metadata relative to focus and terms keywords.

This kind of information should be available only to users with administrative capabilities. To be more precise, to users that have the manage_options capability, because the plugin’s option pages require this capability by default.

We will not be releasing an exploit proof of concept at this stage but we shared a PoC with the Yoast team on Tuesday to help them confirm and fix the vulnerability.

Conclusion: if you are using Yoast SEO Plugin, please kindly Update to the Latest Version.

Kindly Visit/Join the Programmers/Wapmasters Forum via http://www.nct.com.ng/

Wow, thanks for the info.

I use yoast a lot for my blog, so it was a wonder when I just update to 3.2.4 only to get an update to 3.2.5 the next day.

Was wondering why an update so quickly. At least now I know.

Thanks for the heads up

brianromel:
Wow, thanks for the info.

I use yoast a lot for my blog, so it was a wonder when I just update to 3.2.4 only to get an update to 3.2.5 the next day.

Was wondering why an update so quickly. At least now I know.

Thanks for the heads up

am happy this info is of help, we also got the report from one of our user at www.nct.com.ng (A forum meant for Programmers/Wapmasters and web lovers, i hope u also join us there)