WordPress Plugin Vulnerabilities

Yoast SEO <= 9.1 - Authenticated Race Condition

Description

According to the changelog,

"Race Condition which leads to command execution, by users with SEO Manager roles."

Affects Plugins

Plugin icon
wordpress-seo
Fixed in 9.2

References

CVE
CVE-2018-19370
URL
https://packetstormsecurity.com/files/#150497/
URL
https://plugins.trac.wordpress.org/changeset/1977260/wordpress-seo
URL
https://github.com/Yoast/wordpress-seo/pull/11502/commits/3bfa70a143f5ea3ee1934f3a1703bb5caf139ffa

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Dimopoulos Ilias
Submitter
Dimopoulos Ilias
Submitter twitter
gweeperx
Verified
No
WPVDB ID
bd32be83-db19-4026-adc9-9da284849ee3

Timeline

Publicly Published
2018-11-20 (about 7 years ago)
Added
2018-11-20 (about 7 years ago)
Last Updated
2020-10-02 (about 5 years ago)

Other

Published
Title
Published
2024-03-13
Title
WP Fusion Lite < 3.42.10 - Authenticated (Contributor+) Remote Code Execution
Published
2020-02-18
Title
ThemeREX Addons - Remote Code Execution
Published
2025-03-28
Title
So-Called Air Quotes <= 0.1 - Unauthenticated Arbitrary Shortcode Execution
Published
2026-03-16
Title
Post Snippets – Custom WordPress Code Snippets Customizer < 4.0.13 - Authenticated (Contributor+) Remote Code Execution
Published
2023-09-19
Title
File Manager Pro < 1.8.1 - Admin+ Remote Code Execution