WordPress SEOPress Plugin XSS Vulnerability

WordPress SEOPress Plugin XSS Vulnerability

Wordfence, a WordPress safety software program firm, printed particulars a couple of vulnerability in widespread WordPress search engine optimisation software program SEOPress. Earlier than making the announcement, WordFence communicated the main points of the vulnerability to the publishers of SEOPress who promptly mounted the difficulty and printed a patch to repair it.

In accordance with WordFence:

“This flaw made it potential for an attacker to inject arbitrary internet scripts on a weak website which might execute anytime a consumer accessed the “All Posts” web page.”

The US authorities Nationwide Vulnerability Database web site listed the Wordfence supplied CNA (CVE Numbering Authority) score for the SEOPress vulnerability as a medium level rating and a score of 6.4 on a scale of 1 to 10.


Proceed Studying Beneath

The weak spot enumeration is categorized as:

“Improper Neutralization of Enter Throughout Internet Web page Technology (‘Cross-site Scripting’)”

The vulnerability impacts SEOPress variations 5.0.0 – 5.0.3.

What’s the SEOPress Vulnerability?

The official SEOPress changelog didn’t actually describe the vulnerability or disclose that there was a vulnerability.

This isn’t a criticism of SEOPress, I’m simply noting that SEOPress described the issue in obscure phrases:

“INFO Strengthening safety (due to Wordfence)”

Screenshot of SEOPress Changelog

SEOPress changelog

The problem affecting SEOPress permits any authenticated consumer, with credentials as little as a subscriber, might replace the title and outline of any publish. As a result of this enter was insecure in that it didn’t correctly sanitize this enter for scripts and different unintended uploads, an attacker might add malicious scripts that might then be used as a part of a cross website scripting assault.


Proceed Studying Beneath

Though this vulnerability is rated as medium by the Nationwide Vulnerability Database (probably as a result of the vulnerability impacts websites that permit consumer registrations equivalent to subscribers), WordFence cautions that an attacker might “simply” take over a weak web site underneath the listed circumstances.

WordFence stated this in regards to the cross-site scripting (XSS) vulnerability:

“…cross-site scripting vulnerabilities equivalent to this one can result in quite a lot of malicious actions like new administrative account creation, webshell injection, arbitrary redirects, and extra.”

Cross Web site Scripting (XSS) vulnerabilities assault vectors are usually in areas the place somebody can enter knowledge. Anyplace that somebody can enter data, like a contact kind, is a possible supply of an XSS vulnerability.

Software program builders are imagined to “sanitize” the inputs, which suggests they’re imagined to test that what’s being enter shouldn’t be one thing that’s sudden.

REST API Enter Insecure

This explicit vulnerability affected the enter associated to getting into title and outline of a publish. Particularly, it affected what’s often called the WordPress REST API.

The WordPress REST API is an interface that enables WordPress plugins to work together with WordPress.

With the REST API, a plugin can work together with a WordPress website and modify the net pages.

The WordPress documentation describes it like this:

“Utilizing the WordPress REST API you’ll be able to create a plugin to supply a completely new admin experiences for WordPress, construct a model new interactive front-end expertise, or carry your WordPress content material into utterly separate purposes.”


Proceed Studying Beneath

In accordance with WordFence, the SEOPress WordPress REST API endpoint was applied in an insecure method in that the plugin didn’t correctly sanitize the inputs by means of this methodology.


WordFence SEOPress Vulnerability Announcement

National Vulnerability Database entry on the SEOPress Stored Cross-Site-Scripting issue

WordPress REST API Handbook

Source link

Leave A Comment



Our purpose is to build solutions that remove barriers preventing people from doing their best work.

Giza – 6Th Of October
(Sunday- Thursday)
(10am - 06 pm)

No products in the cart.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
  • Attributes
  • Custom attributes
  • Custom fields
Click outside to hide the comparison bar