Vulners
Lucene search
Google Analytics By Yoast Premium 5.4.4 Cross Site Scripting
đď¸Â 10 Aug 2015 00:00:00Reported by Tom AdamsType 
 packetstormđ packetstormsecurity.comđ 43 Views
`Details
================
Software: Google Analytics by Yoast Premium
Version: 5.4.4
Homepage: https://yoast.com/wordpress/plugins/google-analytics/
Advisory report: https://security.dxw.com/advisories/xss-in-google-analytics-by-yoast-premium-by-privileged-users/
CVE: Awaiting assignment
CVSS: 5.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:N)
Description
================
Stored XSS in Google Analytics by Yoast Premium allows privileged users to attack other users
Vulnerability
================
A user with the âmanage_optionsâ capability but not the âunfiltered_htmlâ capability is able to add arbitrary JavaScript to a page visible to admins.
In the default configuration of WordPress, all users with the âmanage_optionsâ capability have the âunfiltered_htmlâ capability. However it is possible to remove the âunfiltered_htmlâ capability from (non-super) admin users. Therefore this presents a vulnerability in which an authenticated user is able to exceed their privileges.
Proof of concept
================
Remove the âunfiltered_htmlâ capability from the admin role and log in as a non-super admin
For testing you can remove that capability from all users with this line: add_filter(âuser_has_capâ, function ($allcaps, $cap, $args) { $allcaps[âunfiltered_htmlâ] = false; return $allcaps; }, 10, 3);
Visit Analytics > Settings
Click the Advanced tab
Enter the following into the Subdomain tracking field (including the quotes): â onfocus=âalert(1)
Click Save changes
Refresh the page
Click the Advanced tab
Focus the Subdomain tracking field by clicking it or tabbing to it
alert(1) will be called
Mitigations
================
Upgrade to version 5.4.5 or later.
If all users have the âunfiltered_htmlâ capability, or there is only one admin, then there is no issue.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2015-07-21: Discovered
2015-07-22: Reported to vendor via email
2015-07-22: Requested CVE
2015-08-10: Vendor confirmed fixed in version 5.4.5
2015-08-10: Published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Aug 2015 00:00Current
7.4High risk
Vulners AI Score7.4