Yoast SEO <= 9.1 - Authenticated Race Condition



Description 
According to the changelog,

"Race Condition which leads to command execution, by users with SEO Manager roles."

Affects Plugin

Yoast SEO
fixed in version 9.2

References

CVE 2018-19370
PacketStorm 150497
URL https://plugins.trac.wordpress.org/changeset/1977260/wordpress-seo
URL https://github.com/Yoast/wordpress-seo/pull/11502/commits/3bfa70a143f5ea3ee1934f3a1703bb5caf139ffa
Youtube Video

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Original Researcher Dimopoulos Ilias
Submitter Dimopoulos Ilias
Submitter Twitter gweeperx
Views 29258
Verified No
WPVDB ID 9150

Timeline

Publicly Published 2018-11-20 (over 1 year ago)
Added 2018-11-20 (over 1 year ago)
Last Updated 2020-04-15 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin