CVSS: 6.6EPSS: 1%CPEs: 1EXPL: 2CVE-2018-19370 – Yoast SEO <= 9.1.0 - Race Condition to Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-19370
A Race condition vulnerability in unzip_file in admin/import/class-import-settings.php in the Yoast SEO (wordpress-seo) plugin before 9.2.0 for WordPress allows an SEO Manager to perform command execution on the Operating System via a ZIP import. Una vulnerabilidad de condición de carrera en unzip_file en admin/import/class-import-settings.php en el plugin Yoast SEO (wordpress-seo) en versiones anteriores a la 9.2.0 para WordPress permite que un SEO Manager ejecute comandos en el sistema operativo mediante una importación de ZIP. WordPress SEO (Yoast SEO) plugin versions 9.1 and below suffer from a race condition that allows for command execution. • https://github.com/Yoast/wordpress-seo/pull/11502/commits/3bfa70a143f5ea3ee1934f3a1703bb5caf139ffa https://wordpress.org/plugins/wordpress-seo/#developers https://www.youtube.com/watch?v=nL141dcDGCY • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24153 – Yoast SEO < 3.4.1 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24153
A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found. Se detectó una vulnerabilidad de tipo Cross-Site Scripting Almacenado en el plugin Yoast SEO WordPress versiones anteriores a 3.4.1, que tenía filtros de lista negra incorporados que incluían paréntesis en la lista negra, así como varias funciones como alertas pero se encontraron omisiones A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting parentheses as well as several functions such as alert, but bypasses were found. • https://packetstormsecurity.com/files/138192 https://plugins.trac.wordpress.org/changeset/1466243/wordpress-seo https://wpscan.com/vulnerability/77810044-394d-4314-b9a1-20c7dca726dc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •