WordPress Plugin Vulnerabilities

Yoast SEO 1.2.0-11.5 - Authenticated Stored XSS

Description

The vendor's description, reference included below:

"Yoast SEO 11.6 also fixes a security issue regarding term pages in WordPress. Unfiltered code was allowed in some fields. This, however, does not pose a problem for single user sites. In specific cases, on multisite installs, this might become an issue because of the way user roles function."

Affects Plugins

Plugin icon
wordpress-seo
Fixed in 11.6
Plugin icon
wordpress-seo-premium
Fixed in 11.6

References

CVE
CVE-2019-13478
URL
https://gist.github.com/sybrew/2f53625104ee013d2f599ac254f635ee
URL
https://github.com/Yoast/wordpress-seo/pull/13221
URL
https://yoast.com/yoast-seo-11.6/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Sybre Waaijer
Submitter
Sybre Waaijer
Submitter website
https://theseoframework.com/
Submitter twitter
SybreWaaijer
Verified
No
WPVDB ID
8bc4cf95-79f7-4d92-b320-a841ab7e6a6f

Timeline

Publicly Published
2019-07-09 (about 6 years ago)
Added
2019-07-10 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2025-10-06
Title
Betheme < 28.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-08-16
Title
CBX Bookmark & Favorite < 1.6.9 - Reflected Cross-Site Scripting
Published
2024-06-07
Title
Animated AL List <= 1.0.6 - Reflected XSS
Published
2023-06-12
Title
WPForms Google Sheet Connector < 3.4.6 - Reflected XSS
Published
2021-05-12
Title
Photo Gallery < 1.5.67 - Authenticated Stored Cross-Site Scripting via Gallery Title