WordPress Plugin Vulnerabilities

Yoast SEO: Local < 15.0 - Contributor+ Stored XSS

Description

The plugin does not properly sanitize and escape some of its attributes before outputting them back into the page, which could allow users with a role as low as a contributor to inject arbitrary web scripts into pages and posts.

Affects Plugins

Plugin icon
wpseo-local
Fixed in 15.0

References

CVE
CVE-2023-28785
URL
https://patchstack.com/database/vulnerability/wpseo-local/wordpress-yoast-seo-local-plugin-14-9-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
86b6e09f-80f5-482f-b474-e7860b539044

Timeline

Publicly Published
2023-05-24 (about 2 years ago)
Added
2023-05-30 (about 2 years ago)
Last Updated
2023-05-30 (about 2 years ago)

Other

Published
Title
Published
2024-07-01
Title
SuperSaaS – online appointment scheduling < 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-01-17
Title
BP Profile Search < 5.6 - Reflected Cross-Site Scripting via BPS_FORM
Published
2023-01-23
Title
Spotlight Social Feeds < 1.4.3 - Contributor+ Stored XSS
Published
2024-08-01
Title
Tin Canny Reporting for LearnDash < 4.3.0.8 - Reflected Cross-Site Scripting
Published
2024-07-05
Title
zBench <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting