Yoast SEO <= 2.1.1 - Authenticated Stored DOM XSS



Description
The “snippet preview” functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2.
Proof of Concept
Vulnerable URL:
/wp-admin/post-new.php?post_title=<img src=x onerror=alert(1)>

Vulnerable Code (wordpress-seo/js/wp-seo-metabox.js):
function yst_clean(str) {
    	if (str == '' || str == undefined)
		    return '';

	    try {
		        str = jQuery('<div/>').html(str).text();
		        str = str.replace(/<\/?[^>]+>/gi, '');
		        str = str.replace(/\[(.+?)\](.+?\[\/\\1\])?/g, '');
	    } catch (e) {
	}

	return str;
}

Link: https://github.com/Yoast/wordpress-seo/blob/2.1.1/js/wp-seo-metabox.js#L1-13

Affects Plugin

fixed in version 2.2

References

CVE 2012-6692
PACKETSTORM 132294
URL https://inventropy.us/blog/yoast-seo-plugin-cross-site-scripting-vulnerability/

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Charles Neill
Submitter Website https://inventropy.us/blog
Submitter Twitter ccneill
Views 2848
Verified No
WPVDB ID 8045

Timeline

Publicly Published 2015-06-12 (over 3 years ago)
Added 2015-06-12 (over 3 years ago)
Last Updated 2016-07-28 (over 2 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.