Arbitrary Command Execution Affecting yoast/wordpress-seo package, versions <9.2.0


0.0
high

Snyk CVSS

    Attack Complexity Low
    Privileges Required High
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    EPSS 1.42% (87th percentile)
Expand this section
NVD
6.6 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-YOASTWORDPRESSSEO-72648
  • published 29 Nov 2018
  • disclosed 28 Nov 2018
  • credit gweeperx

How to fix?

Upgrade yoast/wordpress-seo to version 9.2.0 or higher.

Overview

yoast/wordpress-seo is a Yoast SEO for WordPress.

Affected versions of this package are vulnerable to Arbitrary Command Execution due to a race condition via the admin/import/class-import-settings.php path in unzip_file. A SEO Manager could perform command execution on the Operating System via a ZIP import.