Plugin inspection:

WordPress SEO by Yoast

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.

Warnings

This recommendation applies to version 1.4.10 of this plugin, but the most recent version is 15.3. These findings may no longer be correct.

Findings

Content is inserted unescaped into JavaScript, however the source for that content appears to be hard-coded.

Administrators can write arbitrary content to htaccess files, which could allow arbitrary content to be executed. However, this plugin does obey the¬†DISALLOW_FILE_EDIT setting and so will not allow the htaccess to be edited if the site is configured to prevent it. Given that without this flag, arbitrary code can, by design, be executed by administrators anyway (via the plugin/theme editor) we think this issue can’t reasonably be called a problem.

Users who do not wish arbitrary code to be executed by administrators should ensure that DISALLOW_FILE_EDIT is always set to true. Additionally, we recommend that the web server system user is not given write permissions over the web document root.