Yoast SEO <= 20.2 – Authenticated (Contributor+) DOM-Based Cross-Site Scripting

Please note: The Wordfence team is still assessing this vulnerability, and will add more details as it becomes available. The Yoast SEO plugin for WordPress is vulnerable to DOM-based Cross-Site Scripting via individual post SEO details in versions up to, and including, 20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level requirements and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PYWP clients have already been updated to the latest (patched) version.

Source and more details: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wordpress-seo/yoast-seo-202-authenticated-contributor-dom-based-cross-site-scripting

Posted in Updates, Vulnerability.