Clicky by Yoast 1.4.3 Cross Site Scripting

Clicky by Yoast 1.4.3 Cross Site Scripting

Clicky by Yoast 1.4.3 Clicky by Yoast 1.4.3 Cross Site Scripting

Clicky by Yoast 1.4.3 - Multiple Stored Cross-site Scripting
Advisory ID: RO-16-006
Severity: Medium
Vendor: Yoast
Product: Clicky by Yoast
Version: 1.4.3


Overview #

Multiple Stored Cross-site Scripting (XSS) vulnerabilities exist in Clicky by Yoast WordPress Plugin version 1.4.3.


Vulnerability Details #

Affected Versions: 1.4.3 and earlier

Root Cause: Insufficient input validation in plugin settings page.
Technical Details #

Vulnerable URL: /wp-admin/options-general.php?page=clicky

Vulnerable Parameters (POST):

admin_site_key
site_id
site_key
outbound_pattern

Attack Pattern:

'" onmouseover=alert(0x000136)



Exploitation Requirements #

Admin authentication required
Stored XSS persists in settings

Impact #

Remote attackers can exploit these vulnerabilities to:

Steal admin session cookies
Perform administrative actions
Persistently compromise the WordPress admin panel



Solution #

Update to the latest version. See Yoast SEO changelog.


References #

Invicti Advisory NS-16-008

Timeline:

[2016-06-29] - First Contact
[2016-07-01] - Vendor Replied
[2016-07-27] - Advisory Released

Credits: Omar Kurt