This video demonstrates the stored XSS vulnerability in Google Analytics by Yoast. The vendor assigned it DREAD score 5 (low). Apparently based on the number, some commentators have characterised the security issue as “minor” and the upgrade as “low priority”.
We still think this is a critical vulnerability. Rather than using a number, it’s probably more insightful to see what the vulnerability means in the real world.
It’s also apparently the most serious vulnerability ever reported in the Yoast WordPress plug-ins; it’s exploitable by anyone, doesn’t require the victim to visit any external page, and leads to server-side code execution.
This video shows how an attacker can inject the exploit in WordPress Dashboard. Viewing the settings page triggers it. At that moment the attacker’s “backdoor” PHP gets written on the server – in this case to a file called hello.php. It can contain any code and e.g. give interactive shell access.
It’s important to patch your system even though the vendor assigned a low number. This isn’t one of those “potential scenarios”.