CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16842 – Yoast SEO <= 5.7.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16842
Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML. Una vulnerabilidad de Cross-Site Scripting (XSS) en admin/google_search_console/class-gsc-table.php en el plugin Yoast SEO en versiones anteriores a la 5.8.0 para WordPress permite que atacantes remotos inyecten scripts web o HTML arbitrarios. WordPress Yoast SEO plugin versions prior to 5.8.0 suffer from a cross site scripting vulnerability. • https://packetstormsecurity.com/files/145080/WordPress-Yoast-SEO-Cross-Site-Scripting.html https://plugins.trac.wordpress.org/changeset/1766831/wordpress-seo/trunk/admin/google_search_console/class-gsc-table.php https://wordpress.org/plugins/wordpress-seo/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 5CVE-2015-2292 – Yoast SEO <= 1.7.3.3 - Blind SQL Injection
https://notcve.org/view.php?id=CVE-2015-2292
Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. Múltiples vulnerabilidades inyección SQL en admin/class-bulk-editor-list-table.php en WordPress SEO por el plugin Yoast anterior a 1.5.7, 1.6.x anterior a 1.6.4, y 1.7.x anterior a 1.7.4 de WordPress permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de (1) order_by o (2) parámetro order en la página the wpseo_bulk-editor en wp-admin/admin.php. NOTA: esto se puede aprovechar mediante CSRF que permite a atacantes remotos ejecutar comandos SQL arbitrarios. • https://www.exploit-db.com/exploits/36413 http://packetstormsecurity.com/files/130811/WordPress-SEO-By-Yoast-1.7.3.3-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Mar/73 http://www.securitytracker.com/id/1031920 https://wordpress.org/plugins/wordpress-seo/changelog https://wpvulndb.com/vulnerabilities/7841 https://yoast.com/wordpress-seo-security-release • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 3CVE-2015-2293 – Yoast SEO <= 1.7.3.3 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-2293
Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page. Múltiples vulnerabilidades cross-site request forgery (CSRF) en admin/class-bulk-editor-list-table.php en WordPress SEO en el plugin Yoast anterior a 1.5.7, 1.6.x anterior a 1.6.4, y 1.7.x anterior a 1.7.4 de WordPress permite a atacantes remotos secuestrar la autenticación de ciertos usuarios en las peticiones que conllevan ataques de inyección SQL a través de (1) order_by o (2) parámetro order en la página wpseo_bulk-editor • http://packetstormsecurity.com/files/130811/WordPress-SEO-By-Yoast-1.7.3.3-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Mar/73 http://www.securitytracker.com/id/1031920 https://wordpress.org/plugins/wordpress-seo/changelog https://wpvulndb.com/vulnerabilities/7841 https://yoast.com/wordpress-seo-security-release • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 4CVE-2012-6692 – Yoast SEO <= 2.1.1 - Cross Site Scripting via post_title parameter
https://notcve.org/view.php?id=CVE-2012-6692
Cross-site scripting (XSS) vulnerability in js/wp-seo-metabox.js in the WordPress SEO by Yoast plugin before 2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the post_title parameter to wp-admin/post-new.php, which is not properly handled in the snippet preview functionality. Vulnerabilidad de XSS en js/wp-seo-metabox.js en el plugin WordPress SEO by Yoast anterior a 2.2 para WordPress permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro post_title en wp-admin/post-new.php, lo cual no se maneja correctamente en la funcionalidad de la previsualización de recortes (snippets). • http://packetstormsecurity.com/files/132294/WordPress-Yoast-2.1.1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Jun/40 http://www.securityfocus.com/bid/75196 http://www.securitytracker.com/id/1032580 https://inventropy.us/blog/yoast-seo-plugin-cross-site-scripting-vulnerability https://wordpress.org/plugins/wordpress-seo/changelog https://wordpress.org/support/topic/security-issue-with-post-title-field-xss-vulnerability https://yoast.com/wordpress-seo-2-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •