Clicky by Yoast 1.4.3 - Multiple Stored Cross-site Scripting
Advisory ID: RO-16-006
Severity: Medium
Vendor: Yoast
Product: Clicky by Yoast
Version: 1.4.3


Overview #

Multiple Stored Cross-site Scripting (XSS) vulnerabilities exist in Clicky by Yoast WordPress Plugin version 1.4.3.


Vulnerability Details #

Affected Versions: 1.4.3 and earlier

Root Cause: Insufficient input validation in plugin settings page.
Technical Details #

Vulnerable URL: /wp-admin/options-general.php?page=clicky

Vulnerable Parameters (POST):

    admin_site_key
    site_id
    site_key
    outbound_pattern

Attack Pattern:

'" onmouseover=alert(0x000136)



Exploitation Requirements #

    Admin authentication required
    Stored XSS persists in settings

Impact #

Remote attackers can exploit these vulnerabilities to:

    Steal admin session cookies
    Perform administrative actions
    Persistently compromise the WordPress admin panel



Solution #

Update to the latest version. See Yoast SEO changelog.


References #

    Invicti Advisory NS-16-008

Timeline:

    [2016-06-29] - First Contact
    [2016-07-01] - Vendor Replied
    [2016-07-27] - Advisory Released

Credits: Omar Kurt