Wordfence, a WordPress security software company, published details about a vulnerability in popular WordPress SEO software SEOPress. Before making the announcement, WordFence communicated the details of the vulnerability to the publishers of SEOPress who promptly fixed the issue and published a patch to fix it.
According to WordFence:
“This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the “All Posts” page.”
The United States government National Vulnerability Database website listed the Wordfence provided CNA (CVE Numbering Authority) rating for the SEOPress vulnerability as a medium level rating and a score of 6.4 on a scale of 1 to 10.
Advertisement
Continue Reading Below
The weakness enumeration is categorized as:
“Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)”
The vulnerability affects SEOPress versions 5.0.0 – 5.0.3.
The official SEOPress changelog didn’t really describe the vulnerability or disclose that there was a vulnerability.
This isn’t a criticism of SEOPress, I’m just noting that SEOPress described the problem in vague terms:
“INFO Strengthening security (thanks to Wordfence)”
The issue affecting SEOPress allows any authenticated user, with credentials as low as a subscriber, could update the title and description of any post. Because this input was insecure in that it didn’t properly sanitize this input for scripts and other unintended uploads, an attacker could upload malicious scripts that could then be used as part of a cross site scripting attack.
Advertisement
Continue Reading Below
Although this vulnerability is rated as medium by the National Vulnerability Database (possibly because the vulnerability affects sites that allow user registrations such as subscribers), WordFence cautions that an attacker could “easily” take over a vulnerable website under the listed circumstances.
WordFence said this about the cross-site scripting (XSS) vulnerability:
“…cross-site scripting vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects, and more.”
Cross Site Scripting (XSS) vulnerabilities attack vectors are typically in areas where someone can input data. Anywhere that someone can enter information, like a contact form, is a potential source of an XSS vulnerability.
Software developers are supposed to “sanitize” the inputs, which means they are supposed to check that what is being input is not something that is unexpected.
This particular vulnerability affected the input related to entering title and description of a post. Specifically, it affected what’s known as the WordPress REST API.
The WordPress REST API is an interface that allows WordPress plugins to interact with WordPress.
With the REST API, a plugin can interact with a WordPress site and modify the web pages.
The WordPress documentation describes it like this:
“Using the WordPress REST API you can create a plugin to provide an entirely new admin experiences for WordPress, build a brand new interactive front-end experience, or bring your WordPress content into completely separate applications.”
Advertisement
Continue Reading Below
According to WordFence, the SEOPress WordPress REST API endpoint was implemented in an insecure manner in that the plugin did not properly sanitize the inputs through this method.
WordFence SEOPress Vulnerability Announcement
National Vulnerability Database entry on the SEOPress Stored Cross-Site-Scripting issue
This is a programming note that I will be completely offline for the last days…
WordPress announced the rollout of Studio by WordPress, a new local development tool that makes…
Google updated their guidance with five changes on how to debug ranking drops. The new…
Google has officially completed its March 2024 Core Update, ending over a month of ranking…
Here is a recap of what happened in the search forums today, through the eyes…
The Google March 2024 core update finished a week ago and Google did not tell…
This website uses cookies.
Leave a Comment