Yoast SEO 16.7-17.2 – Unauthenticated Full Path Disclosure | CVE 2021-25118 | Plugin Vulnerabilities

Description

The plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.

Proof of Concept

Put a featured image in a post, then execute 

curl -s 'https://example.com/wp-json/wp/v2/posts?per_page=1' | jq '.[0].yoast_head_json.og_image[0].path'

Affects Plugins

Fixed in 17.3

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2608691

Classification

Type

FPD

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Fariq Fadillah Gusti Insani

Submitter

Fariq Fadillah Gusti Insani

Submitter website

https://fariqfgi.medium.com/

Submitter twitter

Verified

Yes

WPVDB ID

2c3f9038-632d-40ef-a099-6ea202efb550

Timeline

Publicly Published

2021-10-05 (about 2 years ago)

Added

2022-02-23 (about 2 years ago)

Last Updated

2022-09-08 (about 1 years ago)

Other

Published

Title

Published

2014-08-01

Title

Portable phpMyAdmin - /pma/phpinfo.php Direct Request System Information Disclosure

Published

2013-06-21

Title

Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure

Published

2014-08-01

Title

WP Photo Album Plus - Full Path Disclosure

Published

2014-08-01

Title

NextGEN Gallery <= 1.7.3 - xml/ajax.php Path Disclosure

Published

2014-08-01

Title

Social Discussions - Multiple Path Disclosure