Yoast website positioning Premium 27.6.1 is out now. This launch comprises a safety repair affecting the Redirect Supervisor in Yoast website positioning Premium. The excellent news: the overwhelming majority of customers usually are not impacted. If you’re a buyer of Yoast website positioning Premium, Yoast WooCommerce website positioning, or Yoast website positioning AI+, please learn on.
Are you impacted?
The overwhelming majority of prospects usually are not impacted. Your web site is barely doubtlessly in danger if all three of the next are true:
- You’re utilizing a plan that features the Yoast website positioning Premium plugin. This contains Yoast website positioning Premium, Yoast WooCommerce website positioning, and Yoast website positioning AI+
- Your server runs Apache and you’ve got manually modified your redirect technique to write down to .htaccess. If you’re utilizing the default PHP-based redirects, you aren’t affected
- A person who has entry to your web site with edit_posts functionality. With out this, the vulnerability can’t be exploited even when the opposite circumstances are met
What was the problem?
An authenticated person might inject sudden configuration right into a web site’s .htaccess file by together with particular characters in a redirect. Relying on what was injected, this might vary from a web site crash to, in essentially the most severe circumstances, distant code execution.
We have reviewed a pattern of web sites utilizing the affected configuration and discovered no proof of exploitation. There aren’t any identified circumstances of abuse.
What’s fastened
The patch contains three layers of safety:
- Enter sanitization: management characters are actually stripped from redirect fields earlier than they’re saved
- Eliminated unused code: the particular endpoint concerned within the vulnerability has been eliminated, because it was now not utilized by the plugin anyway
- In-plugin warning: we’ve added a proactive notification that can warn you if something uncommon is detected in your redirects or .htaccess file, so you may assessment and act shortly with out the necessity to go searching for it
What you must do
Please replace to 27.6.1 from the WordPress plugins display, your Admin can do that in below two minutes.
In case you meet all three circumstances above, we advocate updating as quickly as attainable. Must you not, the safety repair doesn’t apply to your setup, however maintaining your plugins present is at all times good apply, and 27.6.1 is the model we advocate for everybody.
If you’re uncertain whether or not you’re affected, verify your redirect settings immediately at [www.yoursite.com]/wp-admin/admin.php?web page=wpseo_redirects#/redirect-method, in case you don’t see .htaccess mode enabled, you’re not in danger.
A full safety advisory can be revealed quickly. You probably have any questions or considerations within the meantime, our assist workforce is right here that will help you.
Thanks to your continued belief in Yoast.
