CVE-2019-13478 – Yoast SEO <= 11.5 - Authenticated Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-13478
The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions. El plugin SEO de Yoast versiones anteriores a 11.6-RC5 para WordPress no restringe apropiadamente el HTML no filtrado en las descripciones de términos. The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via term descriptions in versions up to, and including, 11.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with post editor access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://github.com/Yoast/wordpress-seo/releases/tag/11.6-RC5 https://wpvulndb.com/vulnerabilities/9445 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-19370 – Yoast SEO <= 9.1.0 - Race Condition to Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-19370
A Race condition vulnerability in unzip_file in admin/import/class-import-settings.php in the Yoast SEO (wordpress-seo) plugin before 9.2.0 for WordPress allows an SEO Manager to perform command execution on the Operating System via a ZIP import. Una vulnerabilidad de condición de carrera en unzip_file en admin/import/class-import-settings.php en el plugin Yoast SEO (wordpress-seo) en versiones anteriores a la 9.2.0 para WordPress permite que un SEO Manager ejecute comandos en el sistema operativo mediante una importación de ZIP. WordPress SEO (Yoast SEO) plugin versions 9.1 and below suffer from a race condition that allows for command execution. • https://github.com/Yoast/wordpress-seo/pull/11502/commits/3bfa70a143f5ea3ee1934f3a1703bb5caf139ffa https://wordpress.org/plugins/wordpress-seo/#developers https://www.youtube.com/watch?v=nL141dcDGCY • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2017-16842 – Yoast SEO <= 5.7.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16842
Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de Cross-Site Scripting (XSS) en admin/google_search_console/class-gsc-table.php en el plugin Yoast SEO en versiones anteriores a la 5.8.0 para WordPress permite que atacantes remotos inyecten scripts web o HTML arbitrarios. WordPress Yoast SEO plugin versions prior to 5.8.0 suffer from a cross site scripting vulnerability. • https://packetstormsecurity.com/files/145080/WordPress-Yoast-SEO-Cross-Site-Scripting.html https://plugins.trac.wordpress.org/changeset/1766831/wordpress-seo/trunk/admin/google_search_console/class-gsc-table.php https://wordpress.org/plugins/wordpress-seo/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24153 – Yoast SEO < 3.4.1 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24153
A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found. Se detectó una vulnerabilidad de tipo Cross-Site Scripting Almacenado en el plugin Yoast SEO WordPress versiones anteriores a 3.4.1, que tenía filtros de lista negra incorporados que incluían paréntesis en la lista negra, así como varias funciones como alertas pero se encontraron omisiones A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting parentheses as well as several functions such as alert, but bypasses were found. • https://packetstormsecurity.com/files/138192 https://plugins.trac.wordpress.org/changeset/1466243/wordpress-seo https://wpscan.com/vulnerability/77810044-394d-4314-b9a1-20c7dca726dc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-2292 – Yoast SEO <= 1.7.3.3 - Blind SQL Injection
https://notcve.org/view.php?id=CVE-2015-2292
Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. Múltiples vulnerabilidades inyección SQL en admin/class-bulk-editor-list-table.php en WordPress SEO por el plugin Yoast anterior a 1.5.7, 1.6.x anterior a 1.6.4, y 1.7.x anterior a 1.7.4 de WordPress permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de (1) order_by o (2) parámetro order en la página the wpseo_bulk-editor en wp-admin/admin.php. NOTA: esto se puede aprovechar mediante CSRF que permite a atacantes remotos ejecutar comandos SQL arbitrarios. • https://www.exploit-db.com/exploits/36413 http://packetstormsecurity.com/files/130811/WordPress-SEO-By-Yoast-1.7.3.3-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Mar/73 http://www.securitytracker.com/id/1031920 https://wordpress.org/plugins/wordpress-seo/changelog https://wpvulndb.com/vulnerabilities/7841 https://yoast.com/wordpress-seo-security-release • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •