CVE-2024-4984 Overview
The Yoast SEO plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the display_name author meta field. This vulnerability affects all versions up to and including 22.6 and stems from insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or above can exploit this flaw to inject arbitrary web scripts into pages, which execute whenever a user accesses an injected page.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the context of other users' sessions, potentially leading to session hijacking, credential theft, or administrative account compromise on WordPress sites using vulnerable Yoast SEO versions.
Affected Products
- Yoast SEO WordPress Plugin versions up to and including 22.6
- WordPress installations with vulnerable Yoast SEO plugin versions
- Sites allowing contributor-level or higher user registrations
Discovery Timeline
- 2024-05-16 - CVE-2024-4984 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-4984
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists within the Yoast SEO plugin's handling of the display_name author meta field. The plugin fails to properly sanitize user-controlled input before storing it and subsequently does not adequately escape the output when rendering this data on WordPress pages. This combination of inadequate input validation and output encoding creates a persistent XSS attack surface.
The vulnerability requires authentication with at least contributor-level privileges, which limits the initial attack surface but remains significant given that many WordPress sites permit user registration at this level. Once a malicious payload is injected, it persists in the database and executes in the browser context of any user who views the affected content, including site administrators.
Root Cause
The root cause of this vulnerability lies in the enhanced-data-presenter.php file within the Slack integration component of the Yoast SEO plugin. The display_name field value is processed without adequate sanitization before storage and rendered without proper HTML entity encoding during output. This allows specially crafted input containing JavaScript code to be stored and later executed in victim browsers.
Attack Vector
The attack vector is network-based and requires authenticated access at the contributor level or higher. An attacker with appropriate permissions can modify their author display_name meta field to include malicious JavaScript payloads. When the Yoast SEO plugin processes and displays this field—particularly in enhanced Slack preview data—the unsanitized script executes in the context of any user viewing the affected page.
The attack chain typically involves:
- Attacker obtains contributor-level credentials (through registration, compromise, or social engineering)
- Attacker injects malicious JavaScript into their display_name field
- Victim users visit pages containing the attacker's author information
- Malicious script executes with the victim's session privileges
Since no verified code examples are available for this vulnerability, refer to the GitHub Pull Request #21334 and the WordPress SEO Changeset 3079234 for technical implementation details of the fix.
Detection Methods for CVE-2024-4984
Indicators of Compromise
- Unusual or suspicious content in WordPress user display_name meta fields containing script tags, event handlers, or encoded JavaScript
- Unexpected JavaScript execution or redirects when viewing author pages or posts
- Modified user profile data containing HTML or JavaScript elements
- Browser console errors indicating blocked or executed inline scripts from unexpected sources
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor WordPress database for suspicious patterns in user meta fields, particularly display_name values containing HTML/JavaScript
- Deploy Web Application Firewall (WAF) rules to detect XSS payloads in user profile submissions
- Review WordPress audit logs for unusual profile modification patterns by contributor-level accounts
Monitoring Recommendations
- Enable detailed logging for user profile modifications in WordPress
- Configure SentinelOne Singularity Platform to monitor for anomalous web application behavior and JavaScript injection patterns
- Implement browser-side XSS auditing and reporting mechanisms
- Regularly audit contributor and author account activities for suspicious behavior
How to Mitigate CVE-2024-4984
Immediate Actions Required
- Update Yoast SEO plugin to version 22.7 or later immediately
- Audit all existing user display_name meta fields for potentially malicious content
- Review and sanitize any suspicious entries found in user profiles
- Consider temporarily restricting contributor-level registration until patches are applied
Patch Information
Yoast has addressed this vulnerability in version 22.7 of the Yoast SEO plugin. The fix implements proper input sanitization and output escaping for the display_name author meta field in the enhanced-data-presenter.php file. Detailed information about the security fix is available in the Yoast SEO Changelog 22.7 and the Wordfence Vulnerability Analysis.
Workarounds
- Implement strict Content Security Policy headers to mitigate XSS impact pending updates
- Limit user registration to prevent untrusted contributor accounts from being created
- Manually sanitize existing display_name values in the WordPress database
- Deploy a Web Application Firewall with XSS protection rules as an additional defense layer
# Check current Yoast SEO version via WP-CLI
wp plugin list --name=wordpress-seo --fields=name,version,update_version
# Update Yoast SEO to latest version
wp plugin update wordpress-seo
# Verify update was successful
wp plugin get wordpress-seo --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
