WordPress Plugin Vulnerabilities

Yoast SEO < 3.4.1 - Authenticated Stored Cross-Site Scripting (XSS)

Description

A stored XSS scripting vulnerability was discovered in the plugin, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found.

Affects Plugins

Plugin icon
wordpress-seo
Fixed in 3.4.1

References

CVE
CVE-2021-24153
URL
https://packetstormsecurity.com/files/#138192/
URL
https://plugins.trac.wordpress.org/changeset/1466243/wordpress-seo

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Hammad Shamsi
Submitter
Anonymous
Verified
No
WPVDB ID
77810044-394d-4314-b9a1-20c7dca726dc

Timeline

Publicly Published
2016-08-02 (about 7 years ago)
Added
2016-08-03 (about 7 years ago)
Last Updated
2021-04-05 (about 2 years ago)

Other

Published
Title
Published
2023-10-02
Title
Popup contact form <= 7.1 - Admin+ Stored XSS
Published
2021-08-10
Title
Custom Post View Generator <= 0.4.6 - Reflected Cross-Site Scripting
Published
2023-05-30
Title
Call Now Icon Animate <= 0.1.0 - Admin+ Stored XSS
Published
2015-05-30
Title
Social Media & Share Icons <= 1.1.1.11 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2023-10-12
Title
BuddyPress Global Search <= 1.2.1 - Admin+ Stored XSS