Google Analytics By Yoast Stored XSS


This video demonstrates the stored XSS vulnerability in Google Analytics by Yoast. The vendor assigned it DREAD score 5 (low). Apparently based on the number, some commentators have characterised the security issue as “minor” and the upgrade as “low priority”.

We still think this is a critical vulnerability. Rather than using a number, it’s probably more insightful to see what the vulnerability means in the real world.

It’s also apparently the most serious vulnerability ever reported in the Yoast WordPress plug-ins; it’s exploitable by anyone, doesn’t require the victim to visit any external page, and leads to server-side code execution.

This video shows how an attacker can inject the exploit in WordPress Dashboard. Viewing the settings page triggers it. At that moment the attacker’s “backdoor” PHP gets written on the server – in this case to a file called hello.php. It can contain any code and e.g. give interactive shell access.

It’s important to patch your system even though the vendor assigned a low number. This isn’t one of those “potential scenarios”.

More information:

Leave a Reply

Your email address will not be published. Required fields are marked *

Exclusive Discounts on SEO & Passive Income Tools - Up to 90% OFF

Newly Released Cutting Edge Software & Tools

Let's face it, we've all been victim to shinny object syndrome. What if we could sort the wheat from the chaff and provide you insider tips on the best pre-released or just released tools in the industry? We don't want to fill your inbox with crap, just a weekly list of the best new tools available, at AMAZING DISCOUNTS!

We hate spam, so should you. We will never sell or giveaway your details.

Exclusive Discounts on SEO & Passive Income Tools - Up to 90% OFF

Newly Released Cutting Edge Software & Tools

Let's face it, we've all been victim to shinny object syndrome. What if we could sort the wheat from the chaff and provide you insider tips on the best pre-released or just released tools in the industry? We don't want to fill your inbox with crap, just a weekly list of the best new tools available, at AMAZING DISCOUNTS!

We hate spam, so should you. We will never sell or giveaway your details.