[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS
From: "sec@xxxxxxxxxxxxx" <sec@xxxxxxxxxxxxx>
Date: Fri, 12 Jun 2015 20:07:47 -0500

============================================================
Info
============================================================
Affects:         Yoast Wordpress SEO Plugin <= 2.1.1
Download URL:    https://wordpress.org/plugins/wordpress-seo/
Advisory URL:    
https://inventropy.us/blog/yoast-seo-plugin-cross-site-scripting-vulnerability/
Acknowledgement: https://wordpress.org/plugins/wordpress-seo/changelog/

============================================================
Description
============================================================
The "snippet preview" functionality of the Yoast WordPress SEO plugin prior to 
version 2.2 was susceptible to cross-site scripting in the admin panel, related 
to the "metabox" functionality. This vulnerability appears to have been 
reported 2 years ago by someone named "badconker" (link: 
https://wordpress.org/support/topic/security-issue-with-post-title-field-xss-vulnerability#post-3575617),
 but the plugin author said that it had already been patched at the time.

The issue can be triggered by entering arbitrary HTML into the post title 
field, such as in the example URL provided below.

============================================================
Vulnerable URL
============================================================
http://example.site/wp-admin/post-new.php?post_title=<img onerror=alert(1) src=>

============================================================
Vulnerable Code
============================================================
try {
        str = jQuery('<div/>').html(str).text();
        str = str.replace(/<\/?[^>]+>/gi, '');
        str = str.replace(/\[(.+?)\](.+?\[\/\\1\])?/g, '');
} catch (e) {}

Link: 
https://github.com/Yoast/wordpress-seo/blob/2.1.1/js/wp-seo-metabox.js#L1-13

============================================================
Fix
============================================================
Updating to the latest version (2.2.1 at the time of this advisory) will fix 
this issue.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] The token order of OpVectorTimesScalar and OpMatrixTimesScalar which generated in glslangValidator isn't consistant with SPEC
Next by Date: [FD] OpenBSD "sys_execve()" Executable Header Parsing Denial of Service Vulnerability
Previous by thread: [FD] The token order of OpVectorTimesScalar and OpMatrixTimesScalar which generated in glslangValidator isn't consistant with SPEC
Next by thread: [FD] OpenBSD "sys_execve()" Executable Header Parsing Denial of Service Vulnerability
Index(es):
- Date
- Thread