Yoast SEO vulnerability, disclosure, and forced upgrade

Yoast released a new version of the WordPress SEO plugin in the last 24 hours, which fixes a blind SQL injection vulnerability. According to a post mortem by Joost de Valk, the bug wasn't caught in security audits, but was disclosed privately to the Yoast team by Ryan Dewhurst of WPScan.

Later in the day, the core team decided to force upgrade the plugin to fix the issue across all active installs of the plugin. As you'll remember from my post on WordPress plugin popularity, the WordPress SEO plugin is active on over 3 million websites; it was a very serious issue.

This is the second high-profile case of a plugin being updated by the WordPress.org team; the last was Jetpack last April. Dion Hulse — WordPress lead developer — described informal criteria for updating automatically this way on WordPress Core slack:

The basic requirements are a) active plugin b) large number of users c) simple targeted fix, in the case of both Jetpack and WP SEO  a release per branch is requested.

This seems like perfectly reasonable criteria to me that will not only appease but delight 99.99% of users. Some will always be upset that WordPress.org “forces” anything, but this is far on the good side of the good and evil internet spectrum.

Additionally, WordPress.org was able to push the fix (per Yoast's request) for each version back 3 major releases, covering far more installs than a regular plugin update could have.

Similar Posts