WordPress SEOPress Plugin Vulnerability

Wordfence, a WordPress security software company, published details about a vulnerability in popular WordPress SEO software SEOPress. Before making the announcement, WordFence communicated the details of the vulnerability to the publishers of SEOPress who promptly fixed the issue and published a patch to fix it.

According to WordFence:

“This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the “All Posts” page.”

The United States government National Vulnerability Database website listed the Wordfence provided CNA (CVE Numbering Authority) rating for the SEOPress vulnerability as a medium level rating and a score of 6.4 on a scale of 1 to 10.

The weakness enumeration is categorized as:

“Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)”

The vulnerability affects SEOPress versions 5.0.0 – 5.0.3.

What is the SEOPress Vulnerability?

The official SEOPress changelog didn’t really describe the vulnerability or disclose that there was a vulnerability.

This isn’t a criticism of SEOPress, I’m just noting that SEOPress described the problem in vague terms:

“INFO Strengthening security (thanks to Wordfence)”

Screenshot of SEOPress Changelog

The issue affecting SEOPress allows any authenticated user, with credentials as low as a subscriber, could update the title and description of any post. Because this input was insecure in that it didn’t properly sanitize this input for scripts and other unintended uploads, an attacker could upload malicious scripts that could then be used as part of a cross site scripting attack.

Although this vulnerability is rated as medium by the National Vulnerability Database (possibly because the vulnerability affects sites that allow user registrations such as subscribers), WordFence cautions that an attacker could “easily” take over a vulnerable website under the listed circumstances.

WordFence said this about the cross-site scripting (XSS) vulnerability:

“…cross-site scripting vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects, and more.”

Cross Site Scripting (XSS) vulnerabilities attack vectors are typically in areas where someone can input data. Anywhere that someone can enter information, like a contact form, is a potential source of an XSS vulnerability.

Software developers are supposed to “sanitize” the inputs, which means they are supposed to check that what is being input is not something that is unexpected.

REST API Input Insecure

This particular vulnerability affected the input related to entering title and description of a post. Specifically, it affected what’s known as the WordPress REST API.

The WordPress REST API is an interface that allows WordPress plugins to interact with WordPress.

With the REST API, a plugin can interact with a WordPress site and modify the web pages.

The WordPress documentation describes it like this:

“Using the WordPress REST API you can create a plugin to provide an entirely new admin experiences for WordPress, build a brand new interactive front-end experience, or bring your WordPress content into completely separate applications.”

According to WordFence, the SEOPress WordPress REST API endpoint was implemented in an insecure manner in that the plugin did not properly sanitize the inputs through this method.

Citations

WordFence SEOPress Vulnerability Announcement

National Vulnerability Database entry on the SEOPress Stored Cross-Site-Scripting issue

WordPress REST API Handbook