CVE-2015-2293 – Yoast SEO <= 1.7.3.3 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-2293
Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page. Múltiples vulnerabilidades cross-site request forgery (CSRF) en admin/class-bulk-editor-list-table.php en WordPress SEO en el plugin Yoast anterior a 1.5.7, 1.6.x anterior a 1.6.4, y 1.7.x anterior a 1.7.4 de WordPress permite a atacantes remotos secuestrar la autenticación de ciertos usuarios en las peticiones que conllevan ataques de inyección SQL a través de (1) order_by o (2) parámetro order en la página wpseo_bulk-editor • http://packetstormsecurity.com/files/130811/WordPress-SEO-By-Yoast-1.7.3.3-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Mar/73 http://www.securitytracker.com/id/1031920 https://wordpress.org/plugins/wordpress-seo/changelog https://wpvulndb.com/vulnerabilities/7841 https://yoast.com/wordpress-seo-security-release • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-9174 – MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) <= 5.1.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-9174
Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Manually enter your UA code" (manual_ua_code_field) field in the General Settings. Vulnerabilidad de XSS en el plugin Google Analytics by Yoast (google-analytics-for-wordpress) anterior a 5.1.3 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del campo 'Introducir manualmente su código de usuario autenticado' (manual_ua_code_field) en la página de configuración general (General Settings). • http://www.securityfocus.com/bid/71330 https://exchange.xforce.ibmcloud.com/vulnerabilities/99053 https://twitter.com/yoast/status/537569224307511296 https://wordpress.org/plugins/google-analytics-for-wordpress/changelog https://wpvulndb.com/vulnerabilities/7692 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-6692 – Yoast SEO <= 2.1.1 - Cross Site Scripting via post_title parameter
https://notcve.org/view.php?id=CVE-2012-6692
Cross-site scripting (XSS) vulnerability in js/wp-seo-metabox.js in the WordPress SEO by Yoast plugin before 2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the post_title parameter to wp-admin/post-new.php, which is not properly handled in the snippet preview functionality. Vulnerabilidad de XSS en js/wp-seo-metabox.js en el plugin WordPress SEO by Yoast anterior a 2.2 para WordPress permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro post_title en wp-admin/post-new.php, lo cual no se maneja correctamente en la funcionalidad de la previsualización de recortes (snippets). • http://packetstormsecurity.com/files/132294/WordPress-Yoast-2.1.1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Jun/40 http://www.securityfocus.com/bid/75196 http://www.securitytracker.com/id/1032580 https://inventropy.us/blog/yoast-seo-plugin-cross-site-scripting-vulnerability https://wordpress.org/plugins/wordpress-seo/changelog https://wordpress.org/support/topic/security-issue-with-post-title-field-xss-vulnerability https://yoast.com/wordpress-seo-2-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •