CVE-2021-25118 Overview
CVE-2021-25118 is an information disclosure vulnerability affecting the Yoast SEO WordPress plugin. The vulnerability exists in versions 16.7 through 17.2, where the plugin improperly exposes the full internal server path of featured images in posts via the wp/v2/posts REST API endpoints. This path disclosure could assist attackers in identifying additional vulnerabilities or aid in exploiting other security weaknesses by revealing sensitive server directory structures.
Critical Impact
Attackers can enumerate internal server paths without authentication, potentially facilitating further attacks by revealing server configuration details and directory structures.
Affected Products
- Yoast SEO WordPress Plugin versions 16.7 to 17.2
- WordPress installations using affected Yoast SEO versions
- Sites with exposed REST API endpoints
Discovery Timeline
- 2022-02-28 - CVE-2021-25118 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-25118
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The Yoast SEO plugin inadvertently discloses internal file system paths when processing featured images through WordPress REST API endpoints. When a user or automated tool queries the wp/v2/posts endpoint, the response includes the complete server-side file path for featured images rather than only the public-facing URL.
This type of information leakage, while not directly exploitable for immediate system compromise, provides reconnaissance data valuable to attackers. Knowledge of internal paths can reveal:
- Operating system type and directory structure
- Web server configuration and document root location
- Plugin installation paths that may contain version information
- User directory names that could be targeted in other attacks
Root Cause
The root cause lies in improper output sanitization within the Yoast SEO plugin's REST API response handling. When the plugin processes featured image metadata for REST API responses, it fails to filter out the internal server path information before including it in the API response. The plugin should only expose the public URL path, not the underlying filesystem location.
Attack Vector
The vulnerability is exploitable remotely over the network without any authentication or user interaction. An attacker can simply send HTTP requests to the WordPress REST API endpoint wp/v2/posts and parse the JSON response to extract internal path information.
The attack scenario typically involves:
- The attacker identifies a WordPress site using Yoast SEO plugin
- A request is made to the wp/v2/posts REST endpoint
- The JSON response contains featured image data with full internal paths
- The attacker extracts path information revealing server directory structure
- This information is used to facilitate additional attacks or vulnerability discovery
This reconnaissance data can be combined with other vulnerabilities such as Local File Inclusion (LFI) or path traversal attacks to achieve more significant impact.
Detection Methods for CVE-2021-25118
Indicators of Compromise
- Unusual volume of requests to wp/v2/posts REST API endpoints
- Sequential or automated queries targeting post metadata
- Access logs showing systematic enumeration of REST API responses
- Requests from suspicious IP addresses or known scanning tools
Detection Strategies
- Monitor WordPress REST API access logs for anomalous request patterns
- Implement rate limiting on REST API endpoints to detect enumeration attempts
- Review web server logs for requests containing wp/v2/posts from unexpected sources
- Deploy Web Application Firewall (WAF) rules to detect REST API reconnaissance activity
Monitoring Recommendations
- Enable detailed logging for WordPress REST API requests
- Set up alerts for high-frequency REST API queries from single IP addresses
- Monitor for requests that may indicate vulnerability scanning tools
- Regularly audit plugin versions to ensure vulnerable components are identified
How to Mitigate CVE-2021-25118
Immediate Actions Required
- Update Yoast SEO plugin to version 17.3 or later immediately
- Audit WordPress REST API access logs for signs of exploitation
- Consider temporarily restricting REST API access if immediate patching is not possible
- Review server configurations to minimize information exposure
Patch Information
Yoast has addressed this vulnerability in versions after 17.2. The fix involves properly sanitizing REST API responses to exclude internal server path information. Detailed information about the code changes can be found in the WordPress Plugin Changeset 2608691. Additional vulnerability details are available in the WPScan Vulnerability Report.
Workarounds
- Restrict access to WordPress REST API endpoints using server configuration or security plugins
- Implement IP-based access controls for sensitive REST API endpoints
- Use a Web Application Firewall to filter and monitor REST API traffic
- Consider disabling the REST API for unauthenticated users if not required for site functionality
# Example: Restrict REST API access in .htaccess for Apache servers
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/posts [NC]
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
