Unrated severityNVD Advisory· Published May 9, 2019· Updated Aug 4, 2024

CVE-2019-11869

Description

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting.

Affected products

WordPress/Yuzo Related Posts plugindescription
WordPress/Yuzo Related Postsllm-create
Range: =5.12.94

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpvulndb.com/vulnerabilities/9254mitrex_refsource_MISC
www.pluginvulnerabilities.com/2019/03/30/wordpress-plugin-team-paints-target-on-exploitable-settings-change-vulnerability-that-permits-persistent-xss-in-related-posts/mitrex_refsource_MISC
www.wordfence.com/blog/2019/04/yuzo-related-posts-zero-day-vulnerability-exploited-in-the-wild/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.009
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000