CVE-2021-25118: Yoast SEO 16.7-17.2 - Unauthenticated Full Path Disclosure
First published: Mon Feb 28 2022(Updated: )
The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.
Credit: contact@wpscan.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Yoast Yoast Seo | >=16.7<17.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-25118?
CVE-2021-25118 refers to a vulnerability in the Yoast SEO WordPress plugin (versions 16.7 until 17.2) that discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints.
How does CVE-2021-25118 impact the Yoast SEO plugin?
CVE-2021-25118 allows an attacker to obtain the full internal path of featured images in posts, potentially aiding in the identification of other vulnerabilities or exploitation of known vulnerabilities.
What is the severity of CVE-2021-25118?
CVE-2021-25118 has a severity rating of medium with a CVSS score of 5.3.
Which versions of the Yoast SEO plugin are affected by CVE-2021-25118?
Versions 16.7 until 17.2 of the Yoast SEO WordPress plugin are affected by CVE-2021-25118.
How can I fix CVE-2021-25118?
To fix CVE-2021-25118, users should update their Yoast SEO plugin to version 17.3 or later.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/weakness
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/yoast
- canonical/yoast yoast seo
- version/yoast yoast seo/16.7