CVE-2014-9174

2014-12-0216:59:10

CWE-79

[email protected]

web.nvd.nist.gov

cve-2014-9174

cross-site scripting

xss

google analytics

yoast

wordpress

remote attackers

arbitrary web script

html

manual uacode field

general settings

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

65.6%

JSON

Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the “Manually enter your UA code” (manual_ua_code_field) field in the General Settings.

Affected configurations

NVD

Node

yoastgoogle_analyticsRange≤5.1.2wordpress

yoastgoogle_analyticsMatch5.1wordpress

yoastgoogle_analyticsMatch5.1.1wordpress

CPENameOperatorVersion
yoast:google_analyticsyoast google analyticsle5.1.2
yoast:google_analyticsyoast google analyticseq5.1
yoast:google_analyticsyoast google analyticseq5.1.1

CPE	Name	Operator	Version
yoast:google_analytics	yoast google analytics	le	5.1.2
yoast:google_analytics	yoast google analytics	eq	5.1
yoast:google_analytics	yoast google analytics	eq	5.1.1