Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin

Posted On // 2 comments

Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin

.. contents:: Table Of Content


  • Title :Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin
  • Author: Kaustubh G. Padwad, Rohit Kumar.
  • Plugin Homepage:
  • Severity: Medium
  • Version Affected: Version 5.3.2 and mostly prior to it
  • Version Tested : Version 5.3.2
  • version patched:


Vulnerable Parameter

  • Current UA-Profile
  • Manually enter your UA code
  • Label for those links
  • Set path for internal links to track as outbound links:
  • Subdomain tracking:
  • Extensions of files to track as downloads:

About Vulnerability

This plugin is vulnerable to a Stored Cross Site Scripting vulnerability,This issue was exploited when administrator users with access to "Google Analytics by Yoast" Setting in wordpress above listed vulnerable parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer.

Vulnerability Class

Steps to Reproduce: (POC)

After installing the plugin
  • Goto settings --> Google Analytics by Yoast
  • Input this payload in "Manually enter your UA code" :- v style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x
  • Click on the Save Changes button and navigate your cursor to input box,you will see XSS in action
  • Reload the page or re navigate to page to make sure its stored ;)


Change Log


22-February-2015 Reported to developer
25-February-2015 Fixed by developer
05-March-2015 Issue Closed with team.
06-March-2015 Public Discloser



  1. Thanks for your informative post. Your article helped me a lot to understand the future of digital marketing. SEO Training in Chennai | Digital Marketing Training in Chennai

  2. Digital Marketing is a kind of marketing strategy that relies on electronic medium like television, internet and mobile in promoting a product. It delivers incredible result to the business owners to boost their business online presence and enjoy maximum leads. SEO Training in Chennai | SEO Course in Chennai