PT-2015-5698 · Yoast · Wordpress Seo By Yoast

Ryan Dewhurst

Published

2015-03-17

Updated

2016-12-03

CVE-2015-2292

CVSS v2.0

6.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions WordPress SEO by Yoast plugin versions 1.5.7 and earlier, 1.6.x before 1.6.4, 1.7.x before 1.7.4

Description The issue allows remote authenticated users to execute arbitrary SQL commands via the order by or order parameter in the "wpseo bulk-editor" page to "wp-admin/admin.php". This can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.

Recommendations For WordPress SEO by Yoast plugin version 1.5.7 and earlier, update to version 1.5.7 or later. For WordPress SEO by Yoast plugin version 1.6.x before 1.6.4, update to version 1.6.4 or later. For WordPress SEO by Yoast plugin version 1.7.x before 1.7.4, update to version 1.7.4 or later.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2015-2292

Affected Products

Wordpress Seo By Yoast

PT-2015-5698 · Yoast · Wordpress Seo By Yoast

CVE-2015-2292

Weakness Enumeration

Related Identifiers

Affected Products

References · 9