The Yoast WordPress SEO plugin, which has been downloaded more than 14 million times, has a serious cross-site scripting vulnerability that can allow an attacker to force a vulnerable site to execute arbitrary HTML code.
The bug may have been reported to the plugin’s developer as long as two years ago, but it was still present in current versions up to 2.1.1.
“The ‘snippet preview’ functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2 (<= 2.1.1). This vulnerability appears to have been reported 2 years ago by someone named ‘badconker’, but the plugin author said that it was already patched. Unfortunately, it appears that this is not the case. If you are running this plugin, I recommend updating to the latest version,” the advisory from researcher Charles Neill says.
“The vulnerable part is on line 6 of wordpress-seo/js/wp-seo-metabox.js where the yst_clean function passes the ‘str’ parameter to the jQuery .html() function, then tries to get the text from that object. This means that any HTML will be executed when it is passed through the sanitization function.”
The vulnerability was fixed in version 2.2 of the WordPress SEO plugin, which was released on June 10.
This is the second major vulnerability in the plugin that has been fixed in the last few months. In March, the plugin’s developer patched a SQL injection vulnerability in versions prior to 1.7.4.
“Fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters,” the release notes for that version say.