Clicky by Yoast 1.4.3 - Multiple Stored Cross-site Scripting

Advisory ID: RO-16-006
Severity: Medium
Vendor: Yoast
Product: Clicky by Yoast
Version: 1.4.3

Overview #

Multiple Stored Cross-site Scripting (XSS) vulnerabilities exist in Clicky by Yoast WordPress Plugin version 1.4.3.

Vulnerability Details #

Affected Versions: 1.4.3 and earlier

Root Cause: Insufficient input validation in plugin settings page.

Technical Details #

Vulnerable URL: /wp-admin/options-general.php?page=clicky

Vulnerable Parameters (POST):

  • admin_site_key
  • site_id
  • site_key
  • outbound_pattern

Attack Pattern:

'" onmouseover=alert(0x000136)

Exploitation Requirements #

  • Admin authentication required
  • Stored XSS persists in settings

Impact #

Remote attackers can exploit these vulnerabilities to:

  • Steal admin session cookies
  • Perform administrative actions
  • Persistently compromise the WordPress admin panel

Solution #

Update to the latest version. See Yoast SEO changelog.

References #

Timeline:

  • [2016-06-29] - First Contact
  • [2016-07-01] - Vendor Replied
  • [2016-07-27] - Advisory Released

Credits: Omar Kurt