A cross-site scripting (XSS) flaw discovered in the SEOPress WordPress plugin could allow attackers to inject arbitrary web scripts into vulnerable installations and take over websites.
SEOPress is a popular SEO plugin that's designed specifically for websites that run WordPress and used across roughly 100,000 sites.
The flaw was discovered by WordPress security experts at Wordfence, who brought it to the attention of the plugin developer last month.
- We've built a list of the best WordPress plugins available
- These are the best WordPress hosting solutions on the market
- Also check out our roundup of the best WordPress themes
“One feature the plugin implements is the ability to add a SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint. Unfortunately, this REST-API endpoint was insecurely implemented,” wrote Chloe Chamberland, Threat Analyst at Wordfence.
Malicious payloads
Chamberland opines that cross-site scripting vulnerabilities such as the one discovered in SEOPress can be exploited to execute various malicious actions, such as the creation of new administrative accounts, webshell injection, arbitrary redirects, and could even enable an attacker to take over a WordPress website.
Sharing technical details about the vulnerability, Chamberland writes that it could be exploited by any authenticated user, such as a regular subscriber, to update the SEO title and description for any post.
“The payload could include malicious web scripts, like JavaScript, due to a lack of sanitization or escaping on the stored parameters,” says Chamberland, adding that these scripts would execute every time a user accesses the “All Posts” page.
This flaw has been fully patched in version SEOPress v5.0.4, and Wordfence urges all users of the plugin to update their installations.
- We’ve also rounded up the best SEO tools
