Security patch: Yoast SEO Premium 27.6.1

Get Yoast WooCommerce SEO

Make your products stand retired successful the hunt results. Use AI to prevention clip doing SEO tasks. Get extra SEO features for your WooCommerce store.

Includes Local SEO, Video SEO & News SEO.

$178.80 / twelvemonth (ex. VAT)

Get Yoast WooCommerce SEO »

Reviews from existent users

Rated 4.6 stars by 819 users

4.6 / 5

(opens successful a caller tab)

Yoast SEO Premium 27.6.1 is retired now. This release contains a information hole affecting the Redirect Manager successful Yoast SEO Premium. The bully news: the immense mostly of users are not impacted. If you’re a customer of Yoast SEO Premium, Yoast WooCommerce SEO, aliases Yoast SEO AI+, please publication on. 

Are you affected? 

The immense mostly of customers are not impacted. Your tract is only perchance astatine consequence if each 3 of the pursuing are true: 

• You are utilizing a scheme that includes the Yoast SEO Premium plugin. This includes Yoast SEO Premium, Yoast WooCommerce SEO, and Yoast SEO AI+ 
• Your server runs Apache and you person manually changed your redirect method to constitute to .htaccess. If you’re using the default PHP-based redirects, you are not affected 
• A personification who has entree to your tract with edit_posts capability. Without this, the vulnerability cannot beryllium exploited moreover if the different conditions are met 

What was the issue? 

An authenticated personification could inject unexpected configuration into a site’s .htaccess file by including typical characters successful a redirect. Depending connected what was injected, this could scope from a tract clang to, successful the astir superior cases, distant codification execution.  

We have reviewed a sample of sites utilizing the affected configuration and found no grounds of exploitation. There are nary known cases of abuse. 

What’s fixed 

The spot includes 3 layers of protection: 

• Input sanitization: control characters are now stripped from redirect fields before they’re saved 
• Removed unused code: the circumstantial endpoint progressive successful the vulnerability has been removed, arsenic it was nary longer utilized by the plugin anyway 
• In-plugin warning: we’ve added a proactive notification that will alert you if thing different is detected successful your redirects aliases .htaccess file, truthful you tin reappraisal and enactment quickly without the request to spell looking for it 

What you should do 

Please update to 27.6.1 from the WordPress plugins screen, your Admin can do this successful nether 2 minutes. 

If you meet each 3 conditions above, we urge updating arsenic soon arsenic possible. Should you not, the information fix doesn’t apply to your setup, but keeping your plugins existent is ever bully practice, and 27.6.1 is the type we urge for everyone. 

If you’re unsure whether you’re affected, cheque your redirect settings straight at [www.yoursite.com]/wp-admin/admin.php?page=wpseo_redirects#/redirect-method,  if you don’t see .htaccess mode enabled, you’re not astatine risk. 

A afloat information advisory will beryllium published soon. If you person immoderate questions aliases concerns successful the meantime, our support squad is here to thief you. 

Thank you for your continued spot successful Yoast. 

Beth Parker

Beth is Product Marketing Manager astatine Yoast. Before joining the company, she honed her integer trading and task guidance skills successful various in-house and agency environments.

---