A vulnerability in a WordPress plug-in could allow an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system.
According to Finnish researcher Jouko Pynnönen, the JavaScript will be triggered when an administrator views the plug-in’s settings panel. No further user interaction is required. “Typically this can be used for arbitrary server-side code execution via the plugin or theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site,” he added.
The flaw is in Yoast, who were notified about the flaw on Wednesday, and a new version of the plug-in (5.3.3) was released on Thursday. According to Yoast owner Joost de Valk, there has been no evidence that the flaw was exploited in the wild.
FULL STORY