Re: Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS

["sec () inventropy us" <sec () inventropy us>]

Thank you for investigating. I agree that since this was never patched there don't need to be two separate CVE 
identifiers, but it does seem a little odd to create a new 2012 CVE. In any case, at least it now has an identifier.

Thanks again,
Charles

> On Jun 21, 2015, at 10:59 AM, cve-assign () mitre org wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > https://inventropy.us/blog/yoast-seo-plugin-cross-site-scripting-vulnerability/
> > https://wordpress.org/plugins/wordpress-seo/changelog/
>
> See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6692 for
> the XSS issue related to the "everyone can make a post. This post is
> then validate by an admin user. So everyone can use the security
> breach to execute javascript in admin" threat model on the
> https://wordpress.org/support/topic/security-issue-with-post-title-field-xss-vulnerability
> page from 2012-10-31.
>
> It appears that the outcome is that the XSS payload is stored and then
> immediately reflected. Probably the highest risk is from the stored
> XSS, but the reflected aspect is also relevant if the admin encounters
> a malicious web site while logged into WordPress.
>
> However, that 2012-10-31 page also says:
>
>  - connect you on admin of your site
>  - go to url : [www.yoursite.com]/wp-admin/post-new.php?post_title=<script>alert('There is a problem');</script>
>  - The alert message is displaying !
>
>  => CSRF : http://en.wikipedia.org/wiki/Cross-site_request_forgery
>
> Is (or was) there a separate CSRF vulnerability, of interest to an
> attacker who wants to make a post (without any XSS payload) with the
> admin's credentials?
>
>
> Finally, you mentioned:
>
> > the plugin author said that it had already been patched at the time.
>
> > > This was already patched in 1.3
>
> Apparently this refers to:
>
>  http://plugins.svn.wordpress.org/wordpress-seo/trunk/changelog.txt
>
>  = 1.3 =
>
>  * Long list of small fixes and improvements to code best practices
>  after Sucuri review. Fixes 3 small security issues.
>
> We don't know whether there was an earlier incomplete fix to the
> metabox functionality, so we aren't currently assigning a different
> CVE ID for versions before 1.3.
>
> - -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (SunOS)
>
> iQEcBAEBAgAGBQJVht6kAAoJEKllVAevmvmska0IALWeV0XUgZnR55gmkkcG3eQj
> zYKi+tIF3l6+e15h5JjxFcdvoND+DqyMgpko+0Y5qO+ret/lFRPWjfZi8IE/QLXl
> FNiCSKA9k0s+cte+rcsI+UPp3iUC9aG0XkHCD0s5HU27Zd2N6dzWJiJEyy+x9LzN
> ERt20Vmb/zgh2oI5CWzFgtyLE4dQ6svJG9EKEtZxDaBJWFKB2icbpQ0Bwztwsbe4
> eWjaQnMF+vwb7jFJL99TXzDKFuyVIg9fIOlBj7bEHXSTmhkFiilVaXMF/n2LKIxa
> oKrgmmQ9DkZtjPJeBWM7uEiDg6gj5I/+sJ6XIqLzCr5PKsSJIxMq3dVvfTOwkSc=
> =TGMg
> -----END PGP SIGNATURE-----