Security Vulnerabilities

  • Resolved Nazar Tikhoniuk

    (@nazartikhonyuk)


    1 year, 7 months ago

    Hello!

    We are having several security vulnerabilities raised against the Yoast SEO plugin (version 23.4):

    • Info: Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.
      File: /wp-content/plugins/wordpress-seo/js/dist/externals/draftJs.js
    • Info: Class or method names constructed directly from user-controlled data.
      Function check_admin_referer should be performed with current_user_can() or similar.
      File: /wp-content/plugins/wordpress-seo/admin/views/tool-import-export.php (lines 25-30, 36-41).

    Please could you tell whether these are genuine vulnerabilities or false positives. If they are genuine, please could you tell me when they will be fixed. If they are false positives, please could you explain why.

    Thanks!

    Nazar

Viewing 1 replies (of 1 total)
  • Plugin Support Maybellyne

    (@maybellyne)

    1 year, 7 months ago

    Hello Nazar

    We sincerely appreciate you reaching out to report a security issue. Please send a detailed report of any vulnerability you find to our security team. The following article includes more information about how to submit a security report for our plugin(s). Also, update to Yoast SEO v23.8, which is the latest version. In the meantime, we request you do not disclose any vulnerability publicly until you receive confirmation from our security team.

Viewing 1 replies (of 1 total)

The topic ‘Security Vulnerabilities’ is closed to new replies.