CVE-2019-25314

Vulnerability

Overview

The Yoast Duplicate Post plugin for WordPress, version 3.2.3, contains a persistent (stored) cross-site scripting (XSS) vulnerability. The flaw resides in the plugin's settings panel, specifically within the 'Title prefix', 'Title suffix', 'Increase menu order by', and 'Do not copy these fields' parameters. The plugin fails to properly sanitize or escape user-supplied input before storing it, allowing attackers to inject arbitrary HTML and JavaScript [1][3][4].

Exploitation

Details

An attacker who can access the WordPress admin interface (with sufficient privileges, typically Administrator) can navigate to the Duplicate Post settings page at /wp-admin/options-general.php?page=duplicatepost. By crafting a payload such as "> within the vulnerable fields and saving the changes, the malicious script is stored in the WordPress options table. Subsequently, any time an administrator visits the settings page, the injected script is rendered and executed in their browser context, without requiring any further user interaction [3].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard. This can lead to session hijacking, forced administrative actions, defacement of admin pages, or redirection to malicious sites. The attack is persistent, meaning the injected script remains active until the payload is manually removed from the stored settings [4].

Mitigation

Status

Users should update to the latest version of the Yoast Duplicate Post plugin (patched after 3.2.3). The vulnerability has been documented since June 2019 [3]. No official workaround is available other than ensuring the plugin is kept up to date and limiting administrative access to trusted users only.