A serious vulnerability in the SEOPress plugin posed a threat to thousands of WordPress websites. Exploiting the vulnerability could allow injecting arbitrary scripts on target websites or full site takeover.
SEOPress Plugin Vulnerability
SEOPress is a dedicated plugin for managing the SEO of WordPress websites via different features.
As elaborated, a medium severity cross-site scripting (XSS) vulnerability existed in the REST-API endpoint meant for adding SEO title and description to posts. Due to improper user validation, the vulnerable endpoint allowed an authenticated adversary to make changes to the site’s posts.
Unfortunately, this REST-API endpoint was insecurely implemented. The
permissions_callbackfor the endpoint only verified if the user had a valid REST-API nonce in the request. A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action. This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.
An adversary could exploit this issue to inject malicious web scripts. The scripts would execute whenever a user would access the “All Posts” page, leading to fake account creation, arbitrary redirects, and website takeover.
Patch Rolled Out
Upon discovering the bug in late July, the researchers reached out to the plugin developers to report the flaw.
Given the 100,000+ active installations of this plugin (as mentioned on the plugin page), the vulnerability potentially affected thousands of websites.
Nonetheless, following the bug report, the developers quickly patched the flaw with the release of SEOPress version 5.0.4.
Hence, now, all WordPress admins running this plugin on their websites must ensure updating their sites to the latest plugin version at the earliest.
Let us know your thoughts in the comments.