Nasty WordPress plugin bug puts 100,000 sites at risk

(Image credit: Shutterstock / Brazhyk)

A cross-site scripting (XSS) flaw discovered in the SEOPress WordPress plugin could allow attackers to inject arbitrary web scripts into vulnerable installations and take over websites.

SEOPress is a popular SEO plugin  that's designed specifically for websites that run WordPress and used across roughly 100,000 sites. 

The flaw was discovered by WordPress security experts at Wordfence, who brought it to the attention of the plugin developer last month.

“One feature the plugin implements is the ability to add a SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint. Unfortunately, this REST-API endpoint was insecurely implemented,” wrote Chloe Chamberland, Threat Analyst at Wordfence.

Malicious payloads

Chamberland opines that cross-site scripting vulnerabilities such as the one discovered in SEOPress can be exploited to execute various malicious actions, such as the creation of new administrative accounts, webshell injection, arbitrary redirects, and could even enable an attacker to take over a WordPress website.

Sharing technical details about the vulnerability, Chamberland writes that it could be exploited by any authenticated user, such as a regular subscriber, to update the SEO title and description for any post.

“The payload could include malicious web scripts, like JavaScript, due to a lack of sanitization or escaping on the stored parameters,” says Chamberland, adding that these scripts would execute every time a user accesses the “All Posts” page. 

This flaw has been fully patched in version SEOPress v5.0.4, and Wordfence urges all users of the plugin to update their installations.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.