Share
## https://sploitus.com/exploit?id=PACKETSTORM:214751
Clicky by Yoast 1.4.3 - Multiple Stored Cross-site Scripting
    Advisory ID: RO-16-006
    Severity: Medium
    Vendor: Yoast
    Product: Clicky by Yoast
    Version: 1.4.3
    
    
    Overview #
    
    Multiple Stored Cross-site Scripting (XSS) vulnerabilities exist in Clicky by Yoast WordPress Plugin version 1.4.3.
    
    
    Vulnerability Details #
    
    Affected Versions: 1.4.3 and earlier
    
    Root Cause: Insufficient input validation in plugin settings page.
    Technical Details #
    
    Vulnerable URL: /wp-admin/options-general.php?page=clicky
    
    Vulnerable Parameters (POST):
    
        admin_site_key
        site_id
        site_key
        outbound_pattern
    
    Attack Pattern:
    
    '" onmouseover=alert(0x000136)
    
    
    
    Exploitation Requirements #
    
        Admin authentication required
        Stored XSS persists in settings
    
    Impact #
    
    Remote attackers can exploit these vulnerabilities to:
    
        Steal admin session cookies
        Perform administrative actions
        Persistently compromise the WordPress admin panel
    
    
    
    Solution #
    
    Update to the latest version. See Yoast SEO changelog.
    
    
    References #
    
        Invicti Advisory NS-16-008
    
    Timeline:
    
        [2016-06-29] - First Contact
        [2016-07-01] - Vendor Replied
        [2016-07-27] - Advisory Released
    
    Credits: Omar Kurt