Google Analytics By Yoast Premium 5.4.4 Cross Site Scripting

Type packetstorm
Reporter Tom Adams
Modified 2015-08-10T00:00:00


Software: Google Analytics by Yoast Premium  
Version: 5.4.4  
Advisory report:  
CVE: Awaiting assignment  
CVSS: 5.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:N)  
Stored XSS in Google Analytics by Yoast Premium allows privileged users to attack other users  
A user with the “manage_options” capability but not the “unfiltered_html” capability is able to add arbitrary JavaScript to a page visible to admins.  
In the default configuration of WordPress, all users with the “manage_options” capability have the “unfiltered_html” capability. However it is possible to remove the “unfiltered_html” capability from (non-super) admin users. Therefore this presents a vulnerability in which an authenticated user is able to exceed their privileges.  
Proof of concept  
Remove the “unfiltered_html” capability from the admin role and log in as a non-super admin  
For testing you can remove that capability from all users with this line: add_filter(‘user_has_cap‘, function ($allcaps, $cap, $args) { $allcaps[‘unfiltered_html‘] = false; return $allcaps; }, 10, 3);  
Visit Analytics > Settings  
Click the Advanced tab  
Enter the following into the Subdomain tracking field (including the quotes): ” onfocus=”alert(1)  
Click Save changes  
Refresh the page  
Click the Advanced tab  
Focus the Subdomain tracking field by clicking it or tabbing to it  
alert(1) will be called  
Upgrade to version 5.4.5 or later.  
If all users have the ‘unfiltered_html’ capability, or there is only one admin, then there is no issue.  
Disclosure policy  
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy:  
Please contact us on to acknowledge this report if you received it via a third party (for example, as they generally cannot communicate with us on your behalf.  
This vulnerability will be published if we do not receive a response to this report with 14 days.  
2015-07-21: Discovered  
2015-07-22: Reported to vendor via email  
2015-07-22: Requested CVE  
2015-08-10: Vendor confirmed fixed in version 5.4.5  
2015-08-10: Published  
Discovered by dxw:  
Tom Adams  
Please visit for more information.