Support » Plugin: Yoast SEO » Security issue with post title field (XSS vulnerability)

  • (sorry for my english, it’s not my native language)

    WordPress version: 3.4.2
    WordPress SEO version: 1.2.8.7

    I did this:
    i filled the field post_title of a page/post/custom_post with “<script>alert(‘We have a problem’);</script>”

    I expected the plugin to do this: nothing in particular

    Instead it did this:
    A popup message “We have a problem”.

    On my site, everyone can make a post. This post is then validate by an admin user. So everyone can use the security breach to execute javascript in admin !

    Temporary patch :

    ===================================================================
    --- class-metabox.php	(révision 2)
    +++ class-metabox.php	(révision 3)
    @@ -816,7 +816,7 @@
     			echo '<div title="' . $title . '" alt="' . $title . '" class="wpseo_score_img ' . $score . '"></div>';
     		}
     		if ( $column_name == 'wpseo-title' ) {
    -			echo $this->page_title( $post_id );
    +			echo esc_html($this->page_title( $post_id ));
     		}
     		if ( $column_name == 'wpseo-metadesc' ) {
     			echo wpseo_get_value( 'metadesc', $post_id );
    Index: wp-seo-metabox.js
    ===================================================================
    --- wp-seo-metabox.js	(révision 2)
    +++ wp-seo-metabox.js	(révision 3)
    @@ -46,7 +46,7 @@
     	if ( jQuery("#yoast_wpseo_title").val() ) {
     		var title = jQuery("#yoast_wpseo_title").val();
     	} else {
    -		var title = wpseo_title_template.replace('%%title%%', jQuery('#title').val() );
    +		var title = wpseo_title_template.replace('%%title%%', jQuery('<div/>').text(jQuery('#title').val()).html() );
     	}
     	if ( title == '' ) {
     		jQuery('#wpseosnippet .title').html( '' );

    http://wordpress.org/extend/plugins/wordpress-seo/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Joost de Valk

    (@joostdevalk)

    This was already patched in 1.3

    Hi,

    Thanks for your new version but a have tested again with WordPress 3.5 and wordpress-seo 1.3.3 (and developper version…) it seems to be not resolved at all !! ( specifically in wp-seo-metabox.js)

    Simple test :
    – connect you on admin of your site
    – go to url : [www.yoursite.com]/wp-admin/post-new.php?post_title=<script>alert('There is a problem');</script>
    – The alert message is displaying !

    => CSRF : http://en.wikipedia.org/wiki/Cross-site_request_forgery

    For me, it’s a big security issue.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Security issue with post title field (XSS vulnerability)’ is closed to new replies.