5.3

CVE-2021-25118

Exploit

Yoast SEO 16.7-17.2 - Unauthenticated Full Path Disclosure

Yoast SEO <= 17.2 - Full Path Disclosure

The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.
Mögliche Gegenmaßnahme
Yoast SEO – Advanced SEO with real-time guidance and built-in AI: Update to version 17.3, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
YoastYoast Seo SwPlatformwordpress Version >= 16.7 < 17.3
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Yoast SEO – Advanced SEO with real-time guidance and built-in AI
Version [*, 17.3)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.79% 0.921
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://plugins.trac.wordpress.org/changeset/2608691
Third Party Advisory
Release Notes
https://wpscan.com/vulnerability/2c3f9038-632d-40ef-a099-6ea202efb550
Third Party Advisory
Exploit
https://www.wordfence.com/threat-intel/vulnerabilities/id/f162e046-a7d3-4f2c-899d-6c46cb92c8ee
Third Party Advisory