EXECUTIVE SUMMARY
A critical cross-site scripting (XSS) vulnerability has been discovered in the popular Yoast SEO WordPress plugin, potentially putting over 5 million websites at risk of compromise. Tracked as CVE-2024-4041, the reflected XSS vulnerability exists in all Yoast SEO, due to insufficient input sanitization and output escaping. It allows unauthenticated attackers to inject malicious scripts into WordPress pages via the plugin’s URL parameters, which, when clicked by an administrator, execute in their browser session. Successful exploitation could lead to the creation of rogue admin accounts, injection of backdoors into theme and plugin files, redirection of visitors to malicious sites, and complete control over the vulnerable WordPress site. Address the security hole, urging all using Yoast SEO to update immediately. Administrators are advised to review their sites for any signs of suspicious activity and follow security best practices. Users are against any exploit attempts targeting this flaw. The incident underscores the importance of keeping WordPress plugins updated and the key role played in responsibly disclosing vulnerabilities.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: