A cross-site scripting (XSS) vulnerability discovered in the WordPress SEO plugin SEOPress. Wordfence published these details before contacting the SEOPress publishers, who quickly fixed the problem and released a patch.

As per Wordfence:

“This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site. Which would execute anytime a user accessed the “All Posts” page.”

SEOPress is an SEO plugin that lets users manage title tags, description tags, alt tags, permalinks, social media cards, sitemaps, Google ad settings, and other elements. It’s active in over 100,000 sites.

What is the vulnerability in SEOPress

“One feature the plugin implements is the ability to add a SEO title and description to posts. And this done while saving edits to a post or via a newly introduced REST-API endpoint,” researchers at Wordfence said in a Monday blog post. “Unfortunately, this REST-API endpoint was insecurely implemented.”

Any authenticated user, such as a subscriber, can take advantage of the bug (CVE-2021-34641). To edit the SEO title and description for any post by calling the REST route with a valid nonce.

The US government’s National Vulnerability Database website assigned the Wordfence-provided CNA (CVE Numbering Authority) rating. For the SEOPress vulnerability a medium level grade and a score of 6.4 on a scale of 1 to 10.

Vulnerability could lead to full site take over

According to researchers, depending on the attackers, the vulnerability could allow for a variety of malicious actions on the website, including full site takeover.

“The payload could include malicious web scripts, like JavaScript. Due to a lack of sanitization or escaping on the stored parameters,” they wrote. “These web scripts would then execute any time a user accessed the ‘All Posts’ page. As always, cross-site scripting vulnerabilities such as this one can lead to a variety of malicious actions. Like new administrative account creation, webshell injection, arbitrary redirects and more. This vulnerability easily used by an attacker to take over a WordPress site.”

The Latest SEOPress Update

If you are using SEOPress and haven’t updated to the latest version i.e. 5.0,4. Then it highly recommended to update it immediately.

WordPress plugins with vulnerabilities

Previously we have reported multiple vulnerabilities of the WordPress plugins. Most of the vulnerabilities occur with plugins, and very few come with themes.

Earlier a front-end file manager plugin was hit by critical CSS bugs. And later that, we also reported that an SQL-injection flaw was discovered in the WordPress plugin “Spam protection, AntiSpam, FireWall by CleanTalk”. Could allow an unauthenticated attacker to access user emails, passwords, credit-card data, and other sensitive information.

And in february, Ninja Forms WordPress plugin with more than 1 million active sites, found critical security vulnerabilities. Which could both make it possible for a remote attacker to take over a WordPress site and cause a number of problems.

You may also like:

WordPress 5.8 now includes support for the new Twemoji 13.1.0

How to make fewer HTTP Requests in WordPress