cbcvebase.
CVE-2019-11869
published 2019-05-09

CVE-2019-11869: The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user…

PriorityP279medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.33%
91.6th percentile
The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that is_admin() verifies that the request comes from an admin user (it actually only verifies that the request is for an admin page). An unauthenticated attacker can inject a payload into the plugin settings, such as the yuzo_related_post_css_and_style setting.

Affected

1 ranges
VendorProductVersion rangeFixed in
yuzoproyuzo

Detection & IOCsextracted from sources · hover to see the quote

otheryuzo_related_post_css_and_style
  • Probe for reflected/stored XSS by checking if 'alert(0);' appears in the response body of the WordPress front page after injecting into plugin settings
  • Confirm exploitation by verifying the response Content-Type is text/html
  • The vulnerability is exploitable by unauthenticated users because is_admin() only checks if the request targets an admin page, not whether the requester is an authenticated admin
  • ·Vulnerable version is specifically 5.12.94 of the Yuzo Related Posts WordPress plugin

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.