A stored cross-site scripting (XSS) vulnerability in the SEO Press WordPress plugin could allow attackers to inject arbitrary web scripts into websites, researchers commented.
The bug would allow a number of malicious actions, up to & including full site takeover. The vulnerable plugin is installed on 100,000 websites.
SEO Press is a search engine optimisation (SEO) tool that lets site owners manage SEO metadata, social-media cards, Google Ad settings & more. It’s installed on more than 100,000 sites.
Title & Description
“1 feature the plugin implements is the ability to add a SEO title & description to posts, & this can be done while saving edits to a post or via a newly introduced REST-API endpoint,” researchers at Wordfence stated in a Mon. blog post. “Unfortunately, this REST-API endpoint was insecurely implemented.”
The bug (CVE-2021-34641) allows any authenticated user, like a subscriber, to call the REST route with a valid nonce, & to update the SEO title & description for any post.
“The permissions call-back for the endpoint only verified if the user had a valid REST-API nonce in the request,” according to the posting. “A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action.”
Depending on what an attacker updates the title & description to, it would allow a number of malicious actions, up to and including full site takeover, researchers observed.
“These web scripts would then execute any time a user accessed the ‘All Posts’ page. As always, cross-site scripting vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects and more.
This vulnerability could easily be used by an attacker to take over a WordPress site.”
To protect their websites, users should upgrade to version 5.0.4 of SEOPress.
Vulnerabilities in WordPress plugins remain fairly common. For example, in July 6 critical flaws were disclosed that affected the WordPress plugin Front File Manager versions 17.1 & 18.2, active on more than 2,000 websites.
Earlier, in March, The Plus Addons for Elementor plugin for WordPress was discovered to contain a critical security vulnerability that attackers can exploit to quickly, easily & remotely take over a website. 1st reported as a zero-day bug, researchers said that it was being actively attacked in the wild.
In Feb., an unpatched, stored XSS security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.
Also, in Jan., researchers warned of 2 vulnerabilities (1 critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability that could be exploited by attackers to send out newsletters with custom content or to delete or import newsletter subscribers.