Plugin inspection:

WordPress SEO by Yoast

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 2.1.1 of this plugin, but the most recent version is 9.2.1. These findings may no longer be correct.

Findings

  • At over 17,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
  • Values are not escaped at the point at which they’re put into SQL (admin/class-bulk-editor-list-table.php line 263, inc/class-sitemaps.php line 1466, 1483, inc/class-wpseo-utils.php line 547) so in some cases it’s not easy to determine whether an SQLi vulnerability exists or not

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

  • Creates database requests in a way which makes it difficult to determine whether they are vulnerable or not.

Failure criteria

  • Execution of unprepared SQL statements
  • Very large codebase

Read more about our failure criteria.