Latest Yoast SEO Version Fixes Vulnerability Recently Fixed in All in One SEO
Earlier today, one of our monitoring systems alerted us that one of the WordPress plugins used our customers had possibly had a security fix released, as the changelog entry for the latest version of the Yoast SEO is:
Fixes a security issue in the post editor.
Our customers are from the only ones using that plugin, as according to WordPress it has 5+ million installs
Looking at the changes made in that version, 20.2.1, we found that in several JavaScript files, including /js/dist/post-edit.js, code was changed to output content as text instead of HTML by switching from the innerHTML property to the innerText property. That could indicate that before that change, there was a cross-site scripting (XSS) vulnerability in the plugin because a lack of escaping.
What immediately came to mind to us as where that vulnerability might have existed is a vulnerability disclosed earlier this week by Wordfence, involving another popular WordPress plugin, All in One SEO. Wordfence’s proof of concept for that vulnerability showed placing JavaScript code in to Post Title element of the plugin settings for a WordPress post and it being output again without being escaped. That could be done with a WordPress user without the unfiltered_html capability.
Looking at Yoast SEO plugin, we noticed it had a similar setup and the same issue was exploitable through at least the SEO title element as of the previous version of the plugin:
That would have allowed a low-level WordPress user to cause JavaScript code to run when a higher-level user went to edit the post with the malicious code.
We found that the vulnerability had been exploitable in versions going back to 2018.
We tested and confirmed that our firewall plugin for WordPress protected against the vulnerability even before it was even discovered, as part of its protection against zero-day vulnerabilities.
After looking into that, we checked to see if anyone had already disclosed this and found that Yoast had put out a tweet confirming what we had found:
Today we released a security update to Yoast SEO. We recommend that everyone updates to the latest version.
When @wordfence
recently found a vulnerability in another SEO plugin, we found a similar (but less severe) issue in our own code.We patched it immediately.
It would be a good idea for those using other plugins that have a similiar setup to check to make sure they are not similarly vulnerable.