Proactive security fixes in Yoast SEO (update to v20.2.1) • Yoast

We take security seriously at Yoast and are constantly looking for potential threats and vulnerabilities that could affect our products and customers. This is why we were concerned when security firm Word fence found XSS vulnerabilities in another SEO plugin. After carefully reviewing the issues, we found a similar but less severe vulnerability in Yoast SEO, which we chose to patch immediately.

Please update to the latest version today to ensure your site is protected.

Am I affected?

The problem only affected sites with multiple users, where those users had access to ‘contributor’ or higher. In some cases, those users could save and run code in our snippet editor, which would run for other users. A malicious person could have used this to compromise other users or the website in question. This is a type of ‘XSS’ attack.

In short, some of the people you’ve given limited permission to publish or edit content on your site might be able to circumvent those permissions and cause harm if they wanted to.

What is an XSS vulnerability?

XSS stands for cross-site scripting, a type of attack that allows malicious actors to inject scripts into web pages viewed by other users. An issue like this can lead to various consequences, such as hijacking user sessions, defacing websites, or redirecting users to malicious sites.

XSS vulnerabilities occur when user input fields are not properly sanitized (to ensure that values are safe and match expected formats and patterns) or not...