Stored XSS in Google Analytics by Yoast Premium allows privileged users to attack other users


Last revised:

A user with the “manage_options” capability but not the “unfiltered_html” capability is able to add arbitrary JavaScript to a page visible to admins.

In the default configuration of WordPress, all users with the “manage_options” capability have the “unfiltered_html” capability. However it is possible to remove the “unfiltered_html” capability from (non-super) admin users. Therefore this presents a vulnerability in which an authenticated user is able to exceed their privileges.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.5 Medium
Vector Network
Complexity Low
Authentication Single
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • Remove the “unfiltered_html” capability from the admin role and log in as a non-super admin
  • For testing you can remove that capability from all users with this line: add_filter(user_has_cap‘, function ($allcaps, $cap, $args) { $allcaps[unfiltered_html] = false; return $allcaps; }, 10, 3);
  • Visit Analytics > Settings
  • Click the Advanced tab
  • Enter the following into the Subdomain tracking field (including the quotes): ” onfocus=”alert(1)
  • Click Save changes
  • Refresh the page
  • Click the Advanced tab
  • Focus the Subdomain tracking field by clicking it or tabbing to it
  • alert(1) will be called

Advisory timeline

  • 2015-07-21: Discovered
  • 2015-07-22: Reported to vendor via email
  • 2015-07-22: Requested CVE
  • 2015-08-10: Vendor confirmed fixed in version 5.4.5
  • 2015-08-10: Published

Mitigation/further actions

Upgrade to version 5.4.5 or later.

If all users have the ‘unfiltered_html’ capability, or there is only one admin, then there is no issue.