CVE-2019-13478

Vulnerability

The Yoast SEO plugin for WordPress, versions prior to 11.6-RC5 (specifically ≤11.5), does not properly sanitize or restrict unfiltered HTML in term descriptions. This flaw resides in the term description handling code within the plugin's taxonomy management features. The vulnerability is reachable when an attacker with contributor-level access or higher creates or edits a taxonomy term (category, tag, etc.) and injects arbitrary HTML into the description field. The affected versions are all releases before the 11.6-RC5 tag [1].

Exploitation

An attacker must have WordPress contributor-level access or above to create or modify taxonomy terms. The attacker crafts a term description containing malicious HTML, such as `` tags or event handlers. When a site visitor views a page that displays that term (e.g., a category archive), the injected HTML executes in the visitor's browser context. The exploitation requires no special user interaction beyond normal browsing; the attacker simply needs to ensure the malicious term appears on a publicly accessible page.

Impact

Successful exploitation leads to stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the context of any visitor who views pages containing the compromised term. This enables cookie theft, session hijacking, defacement, or further attacks against the site and its users. The privilege level required for injection is contributor, but the impact affects all site visitors.

Mitigation

The fix is available in Yoast SEO version 11.6-RC5 [1]. Users should upgrade to this release or later. No official workaround is documented; the only mitigation is applying the patch. The plugin has reached end-of-life for older versions, and no further updates are provided for those releases.