CVE-2018-19370

6.6MEDIUM

Key Information:

Vendor: Wordpress
Status: Yoast Seo
Vendor: CVE Published:; 28 November 2018

Summary

A Race condition vulnerability in unzip_file in admin/import/class-import-settings.php in the Yoast SEO (wordpress-seo) plugin before 9.2.0 for WordPress allows an SEO Manager to perform command execution on the Operating System via a ZIP import.

References

https://www.youtube.com/watch?v=nL141dcDGCY

x_refsource_MISC

https://wordpress.org/plugins/wordpress-seo/#developers

x_refsource_MISC

https://github.com/Yoast/wordpress-seo/pull/11502/commits...

x_refsource_MISC

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 28, 2018
Vulnerability Reserved
Nov 20, 2018