Yoast SEO < 2.2 – Authenticated Stored DOM XSS | CVE 2012-6692 | Plugin Vulnerabilities

Description

The "snippet preview" functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2.

Proof of Concept

Vulnerable URL:
/wp-admin/post-new.php?post_title=<img src=x onerror=alert(1)>

Vulnerable Code (wordpress-seo/js/wp-seo-metabox.js):
function yst_clean(str) {
    	if (str == '' || str == undefined)
		    return '';

	    try {
		        str = jQuery('<div/>').html(str).text();
		        str = str.replace(/<\/?[^>]+>/gi, '');
		        str = str.replace(/\[(.+?)\](.+?\[\/\\1\])?/g, '');
	    } catch (e) {
	}

	return str;
}

Link: https://github.com/Yoast/wordpress-seo/blob/2.1.1/js/wp-seo-metabox.js#L1-13

Affects Plugins

Fixed in 2.2

References

CVE

URL

https://packetstormsecurity.com/files/#132294/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

Charles Neill

Submitter website

https://inventropy.us/blog

Submitter twitter

Verified

No

WPVDB ID

3cb6636b-ffc5-4dd7-bca6-62c1ab06e6c8

Timeline

Publicly Published

2015-06-12 (about 10 years ago)

Added

2015-06-12 (about 10 years ago)

Last Updated

2021-01-19 (about 5 years ago)

Other

Published

Title

Published

2022-02-14

Title

WP Cerber Security, Anti-spam & Malware Scan < 8.9.6 - Unauthenticated Stored Cross-Site Scripting

Published

2025-09-05

Title

Biagiotti Core < 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-11-12

Title

Save as PDF Button <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via restpackpdfbutton Shortcode

Published

2014-08-01

Title

SocialGrid 2.3 - inline-admin.js.php default_services Parameter XSS

Published

2024-12-02

Title

Advanced Element Bucket Addons for Elementor <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting