At WP Engine, we take the security of your sites very seriously, and we strive to keep you aware of any potential issues or vulnerabilities that could impact the sites you entrust to us.
We want take this opportunity to inform you that a critical security update has been made available for the WordPress SEO by Yoast plugin, which a portion of our customers use to improve search engine results. The update follows the discovery of a security flaw in the old version of the plugin could that allow authenticated individuals to perform Cross-Site Request Forgery (CSRF) and blind SQL injection using the bulk editor.
Due to the severity of the exploit, we’re asking our customers to update your WordPress SEO by Yoast plugin to the most recent version, which is available now via the Updates menu within your WordPress dashboard. And please make sure to run a backup of your site first. You can read more on how to perform a backup here: http://wpengine.com/support/restore/. We’ve emailed our affected customers, but wanted to post this information to our blog as well.
If you have any questions about updating your plugin or performing a backup please feel free to reach out to your WP Engine Support team at any time.
thomas says
Hey !
there is no new version available (the current is 1.7.4).
The vulnerabilities affects oldest versions ?
Thanks
thomas says
woops i read too fast…
toby says
Why isn’t WP Engine proactively either updating the plugin or issuing a server patch like some other hosting companies are doing?
Dustin Meza says
Hello Toby,
Great question, we had a long discussion around this and as the vulnerability is limited to access from the admin, we felt that upgrading the plugin automatically, which for some sites had the potential to break their site, was not necessary at this time. We have done this in the past, and will continue to keep it as an option in the future.