XSS vulnerability patched in SEOPress, a WordPress Plugin installed on over 100,000 sites.
The flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the “All Posts” page.
SEOPress is a WordPress plugin designed to optimize the SEO of WordPress sites through many different features, like the ability to add SEO meta-data, breadcrumbs, schemas, and more. One feature the plugin implements is the ability to add an SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint.
register_rest_route('seopress/v1', '/posts/(?P<id>\d+)/title-description-metas', [
'methods' => 'PUT',
'callback' => [$this, 'processPut'],
'args' => [
'id' => [
'validate_callback' => function ($param, $request, $key) {
return is_numeric($param);
},
Unfortunately, this REST-API endpoint was insecurely implemented. The permissions_callback
for the endpoint only verified if the user had a valid REST-API nonce in the request. A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action. This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.
'permission_callback' => function ($request) {
$nonce = $request->get_header('x-wp-nonce');
if ( ! wp_verify_nonce($nonce, 'wp_rest')) {
return false;
}
return true;
The payload could include malicious web scripts, like JavaScript, due to a lack of sanitization or escaping on the stored parameters. These web scripts would then execute any time a user accessed the “All Posts” page. As always, cross-site scripting vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, web shell injection, arbitrary redirects, and more. This vulnerability could easily be used by an attacker to take over a WordPress site.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a vulnerability that can lead to a full site takeover.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.