Yoast SEO Plugin Vulnerable to Stored Cross-Site Scripting
CVE-2024-4984

6.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Yoast Seo
Vendor
CVE Published:
16 May 2024

Badges

📈 Trended📈 Score: 4,270📰 News Worthy

What is CVE-2024-4984?

CVE-2024-4984 is a vulnerability identified in the Yoast SEO plugin for WordPress, which is widely used to optimize website visibility on search engines. The vulnerability is classified as a Stored Cross-Site Scripting (XSS) flaw, which arises from inadequate input sanitization and output escaping. This issue can negatively impact an organization by allowing authenticated attackers with contributor-level access to inject harmful scripts into web pages. These scripts can execute automatically when users access the infected pages, leading to potential data theft, defacement, or further attacks on both users and the website.

Technical Details

The vulnerability exists in all versions of the Yoast SEO plugin up to and including version 22.6. It affects the ‘display_name’ author meta, where insufficient protection against malicious input enables attackers to embed arbitrary web scripts. The flaw allows these scripts to be stored and later executed in the context of user sessions, meaning that once a user visits an exploited page, the injected scripts can manipulate the user's session or redirect them to malicious sites.

Impact of the Vulnerability

  1. User Session Hijacking: The exploitation of this vulnerability permits attackers to hijack user sessions, enabling unauthorized access to private information or administrative controls within the website.

  2. Malicious Redirection: Attackers can redirect users to unsafe websites, increasing the risk of phishing attempts or distributing malware, which can further compromise both user and website security.

  3. Reputation Damage: The presence of such a vulnerability in a popular WordPress plugin can lead to a loss of trust among users and partners, negatively impacting an organization's reputation and user engagement.

Affected Version(s)

Yoast SEO * <= 22.6

News Articles

favicon imagelinuxpatch.com

Understanding the Security Implications of CVE-2024-4984 in the Yoast SEO Plugin

A comprehensive breakdown of the CVE-2024-4984 vulnerability found in the Yoast SEO plugin for WordPress, discussing its potential effects and urging users to update their systems to mitigate risks.

8 months ago

favicon imageprophaze.com

CVE-2022-37897 : ARUBA NETWORKS ARUBAOS PAPI COMMAND INJECTION - Cloud WAF

CVE-2022-37897 : There is a command injection vulnerability that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211).

8 months ago

favicon imageprophaze.com

CVE-2024-4984 : YOAST SEO PLUGIN UP TO 22.6 ON WORDPRESS DISPLAY_NAME CROSS SITE SCRIPTING - Cloud WAF

CVE-2024-4984 : The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping.

9 months ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://github.com/Yoast/wordpress-seo/pull/21334
https://plugins.trac.wordpress.org/changeset/3079234/word...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by prophaze.com

  • Vulnerability published

  • Vulnerability Reserved

Credit

rob006
.