HackDig : Dig high-quality web security articles for hacker

Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS

2015-06-13 04:05
============================================================
Info
============================================================
Affects: Yoast Wordpress SEO Plugin <= 2.1.1
Download URL: https://wordpress.org/plugins/wordpress-seo/
Advisory URL: https://inventropy.us/blog/yoast-seo-plugin-cross-site-scripting-vulnerability/
Acknowledgement: https://wordpress.org/plugins/wordpress-seo/changelog/

============================================================
Description
============================================================
The "snippet preview" functionality of the Yoast WordPress SEO plugin prior to version 2.2 was susceptible to
cross-site scripting in the admin panel, related to the "metabox" functionality. This vulnerability appears to have
been reported 2 years ago by someone named "badconker" (link:
https://wordpress.org/support/topic/security-issue-with-post-title-field-xss-vulnerability#post-3575617), but the
plugin author said that it had already been patched at the time.

The issue can be triggered by entering arbitrary HTML into the post title field, such as in the example URL provided
below.

============================================================
Vulnerable URL
============================================================
http://example.site/wp-admin/post-new.php?post_title=<img onerror=alert(1) src=>

============================================================
Vulnerable Code
============================================================
try {
str = jQuery('<div/>').html(str).text();
str = str.replace(/</?[^>]+>/gi, '');
str = str.replace(/[(.+?)](.+?[/\1])?/g, '');
} catch (e) {}

Link: https://github.com/Yoast/wordpress-seo/blob/2.1.1/js/wp-seo-metabox.js#L1-13

============================================================
Fix
============================================================
Updating to the latest version (2.2.1 at the time of this advisory) will fix this issue.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 04/nuJ/5102/erusolcsidlluf/gro.stsilces

Read:3065 | Comments:0 | Tags: Xss

“Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud