WordPress Plugin Vulnerabilities

Google Analytics by Yoast <= 5.1.2 Cross-Site Scripting (XSS)

Description

The value of the input field "manual_ua_code_field" (Analytics > Settings) is saved without any validation. Malicious JavaScript code can be injected. Screenshots: http://imgur.com/4TA6sSe,DFUlAy5#1 http://imgur.com/4TA6sSe,DFUlAy5#0

Affects Plugins

Plugin icon
google-analytics-for-wordpress
Fixed in 5.1.3

References

CVE
CVE-2014-9174
URL
https://twitter.com/yoast/status/537569224307511296
URL
https://exchange.xforce.ibmcloud.com/vulnerabilities/99053

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
SecuBeastTeam
Verified
No
WPVDB ID
478b13a3-dee7-4110-8d3a-1bf50c7cdb41

Timeline

Publicly Published
2014-11-26 (about 11 years ago)
Added
2014-11-26 (about 11 years ago)
Last Updated
2019-10-21 (about 6 years ago)

Other

Published
Title
Published
2024-08-22
Title
Music Request Manager <= 1.3 - Reflected XSS
Published
2025-11-24
Title
Telegram Bot & Channel < 4.1.1 - Unauthenticated Stored Cross-Site Scripting via Telegram Username
Published
2024-06-07
Title
Animated AL List <= 1.0.6 - Reflected XSS
Published
2022-12-24
Title
Store Locator WordPress < 1.4.9 - Contributor+ Stored XSS via Shortcode
Published
2016-07-20
Title
Lazy Load <= 0.6 - Cross-Site Scripting (XSS)