Yoast SEO <= 2.1.1 - Authenticated Stored DOM XSS

The “snippet preview” functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2.

PoC

Vulnerable URL: /wp-admin/post-new.php?post_title= Vulnerable Code (wordpress-seo/js/wp-seo-metabox.js): function yst_clean(str) { if (str == ‘’ || str == undefined) return ‘’; try { str = jQuery(’

').html(str).text(); str = str.replace(/</?[^>]+>/gi, ‘’); str = str.replace(/\(.+?)\?/g, ‘’); } catch (e) { } return str; } Link: https://github.com/Yoast/wordpress-seo/blob/2.1.1/js/wp-seo-metabox.js#L1-13