A stored cross-site scripting (XSS) vulnerability in the SEOPress WordPress plugin could allow attackers to inject arbitrary web scripts into websites, researchers said.
SEOPress is a search engine optimization (SEO) tool that lets site owners manage SEO metadata, social-media cards, Google Ad settings and more. It’s installed on more than 100,000 sites.
“One feature the plugin implements is the ability to add a SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint,” researchers at Wordfence said in a Monday blog post. “Unfortunately, this REST-API endpoint was insecurely implemented.”
The bug (CVE-2021-34641) allows any authenticated user, like a subscriber, to call the REST route with a valid nonce, and to update the SEO title and description for any post.
“The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request,” according to the posting. “A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action.”
Depending on what an attacker updates the title and description to, it would allow a number of malicious actions, up to and including full site takeover, researchers said.
“The payload could include malicious web scripts, like JavaScript, due to a lack of sanitization or escaping on the stored parameters,” they wrote. “These web scripts would then execute any time a user accessed the ‘All Posts’ page. As always, cross-site scripting vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects and more. This vulnerability could easily be used by an attacker to take over a WordPress site.”
To protect their websites, users should upgrade to version 5.0.4 of SEOPress.
WordPress Plugin Issues Persist
Vulnerabilities in WordPress plugins remain fairly common. For instance, in July six critical flaws were disclosed that affected the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites.
Earlier in the year, in March, The Plus Addons for Elementor plugin for WordPress was discovered to contain a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said that it was being actively attacked in the wild.
In February, an unpatched, stored XSS security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.
And in January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability that could be exploited by attackers to send out newsletters with custom content or to delete or import newsletter subscribers.
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.