CVE-2015-2293
medium
CVSS v3
—
CVSS v2
6.8
VIR risk
6.8
Description
Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://yoast.com/wordpress-seo-security-release/
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| yoast | wordpress_seo | {"endIncluding":"1.5.6"} | |
| yoast | wordpress_seo | 1.6.0 | |
| yoast | wordpress_seo | 1.6.1 | |
| yoast | wordpress_seo | 1.6.2 | |
| yoast | wordpress_seo | 1.6.3 | |
| yoast | wordpress_seo | 1.7.1 | |
| yoast | wordpress_seo | 1.7.2 | |
| yoast | wordpress_seo | 1.7.3 | |
| yoast | wordpress_seo | 1.7.3.1 | |
| yoast | wordpress_seo | 1.7.3.2 | |
| yoast | wordpress_seo | 1.7.3.3 | |
References
- http://packetstormsecurity.com/files/130811/WordPress-SEO-By-Yoast-1.7.3.3-SQL-Injection.html
- http://seclists.org/fulldisclosure/2015/Mar/73
- http://www.securitytracker.com/id/1031920
- https://wordpress.org/plugins/wordpress-seo/changelog/
- https://wpvulndb.com/vulnerabilities/7841
- https://yoast.com/wordpress-seo-security-release/
- http://packetstormsecurity.com/files/130811/WordPress-SEO-By-Yoast-1.7.3.3-SQL-Injection.html
- http://seclists.org/fulldisclosure/2015/Mar/73
- http://www.securitytracker.com/id/1031920
- https://wordpress.org/plugins/wordpress-seo/changelog/
- https://wpvulndb.com/vulnerabilities/7841
- https://yoast.com/wordpress-seo-security-release/
CWEs
CWE-352
Verify integrity in audit chain (admin only). AS-IS.