oss-sec mailing list archives

Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS

From: "sec () inventropy us" <sec () inventropy us>
Date: Mon, 15 Jun 2015 02:54:01 -0500

============================================================
Info
============================================================
Affects:         Yoast Wordpress SEO Plugin <= 2.1.1
Download URL:    https://wordpress.org/plugins/wordpress-seo/
Advisory URL:    https://inventropy.us/blog/yoast-seo-plugin-cross-site-scripting-vulnerability/
Acknowledgement: https://wordpress.org/plugins/wordpress-seo/changelog/

============================================================
Description
============================================================
The "snippet preview" functionality of the Yoast WordPress SEO plugin prior to version 2.2 was susceptible to 
cross-site scripting in the admin panel, related to the "metabox" functionality. This vulnerability appears to have 
been reported 2 years ago by someone named "badconker" (link: 
https://wordpress.org/support/topic/security-issue-with-post-title-field-xss-vulnerability#post-3575617), but the 
plugin author said that it had already been patched at the time.

The issue can be triggered by entering arbitrary HTML into the post title field, such as in the example URL provided 
below.

============================================================
Vulnerable URL
============================================================
http://example.site/wp-admin/post-new.php?post_title=<img onerror=alert(1) src=>

============================================================
Vulnerable Code
============================================================
try {
        str = jQuery('<div/>').html(str).text();
        str = str.replace(/<\/?[^>]+>/gi, '');
        str = str.replace(/\[(.+?)\](.+?\[\/\\1\])?/g, '');
} catch (e) {}

Link: https://github.com/Yoast/wordpress-seo/blob/2.1.1/js/wp-seo-metabox.js#L1-13

============================================================
Fix
============================================================
Updating to the latest version (2.2.1 at the time of this advisory) will fix this issue.

Current thread:

Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS sec () inventropy us (Jun 15)
- Re: Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS cve-assign (Jun 21)
  - Re: Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS sec () inventropy us (Jun 21)