Yoast SEO Premium 27.6.1 Security Patch Addresses .htaccess Redirect Vulnerability

Yoast released 27.6.1 on May 26 2026 to fix a critical redirect manager vulnerability that could allow authenticated users to inject malicious configuration into .htaccess, potentially leading to site crash or remote code execution. The issue only affects users on Apache who manually enabled .htaccess redirects and have edit_posts capability; default PHP redirects are safe. The patch adds three layers of protection: input sanitization that strips control characters from redirect fields, removal of the unused endpoint, and an in‑plugin warning that notifies administrators of unusual redirect or .htaccess changes. Yoast reports no evidence of exploitation in the wild and no known abuse cases. All Yoast SEO Premium, Yoast WooCommerce SEO, and Yoast SEO AI+ customers are advised to update immediately if they meet the three conditions, but updating is recommended for all users. The update can be applied via the WordPress plugin screen in under two minutes. A full security advisory will be published soon, and support is available for questions. Keeping plugins current remains best practice.