Are exchanged or reciprocal links okay with Google?
Etmagnis dis parturient montes, nascetur ridiculus mus. Donec lorem ipsum dolor sit amet, et consectetuer adipiscing elit. Aenean commodo ligula eget consyect etur dolor.

Contact Info

(+888)-123-4587

121 King St, Melbourne VIC 3000, Australia

info@example.com

Folow us on social

WordPress SEOPress Plugin XSS Vulnerability

WordPress SEOPress Plugin XSS Vulnerability

Wordfence, a WordPress security software company, published details about a vulnerability in popular WordPress SEO software SEOPress. Prior to the announcement, WordFence communicated the vulnerability details to the publishers of SEOPress, who immediately corrected the issue and released a patch to resolve it.

According to WordFence:

“This error allowed an attacker to inject arbitrary web scripts onto a vulnerable Web site that would execute at any time a user accessed the ‘All Posts’ page.”

The U.S. Government National Vulnerability Database website listed the Wordfence-provided CVE Numbering Authority (CNA) rating for the SEOPress vulnerability as a median rating and a score of 6.4 on a scale of 1 to 10.

Advertising

Continue reading below

The list of weaknesses is categorized as:

“Cross-site Scripting Invalid Neutralization of Web Page Generation”

The vulnerability affects SEOPress versions 5.0.0 – 5.0.3.

What is SEOPress Vulnerability?

The official SEOPress changelog did not properly describe the vulnerability or reveal that there was a vulnerability.

This is not a critique of SEOPress, I just note that SEOPress described the problem in vague terms:

“INFO Strengthening Security (Thanks to Wordfence)”

Screenshot of SEOPress Changelog

The issue affecting SEOPress allows any authorized user with credentials as low as a subscriber to update the title and description of any post. Because this input was insecure because it did not properly disinfect this input for scripts and other accidental uploads, an attacker could upload malicious scripts that could then be used as part of a cross-site scripting attack.

Advertising

Continue reading below

Although this vulnerability is classified as a medium by the National Vulnerability Database (possibly because the vulnerability affects sites that allow user registrations such as Subscribers), WordFence warns that an attacker could “easily” take over a vulnerable site under the circumstances.

WordFence said this about cross-site scripting (XSS) vulnerability:

“… vulnerabilities across websites scripting like this can lead to a number of malicious actions such as creating a new administrative account, webshell injection, random redirects and more.”

Cross Site Scripting (XSS) vulnerabilities attack vectors are typically in areas where someone can enter data. Wherever anyone can enter information, e.g. A contact form is a potential source of XSS vulnerability.

Software developers are supposed to “sanitize” input, which means they have to make sure that what becomes input is not something that is unexpected.

REST API Input Unsure

This particular vulnerability affected inputs related to entering title and description of a post. In particular, it affected what is known as the WordPress REST API.

The WordPress REST API is an interface that allows WordPress plugins to interact with WordPress.

With the REST API, a plugin can interact with a WordPress site and modify the web pages.

The WordPress documentation describes it as follows:

“Using the WordPress REST API, you can create a plugin to deliver a whole new admin experience to WordPress, build a whole new interactive front-end experience, or bring your WordPress content into completely separate applications.”

Advertising

Continue reading below

According to WordFence, the SEOPress WordPress REST API endpoint was implemented in an insecure way, as the plugin did not properly disinfect input via this method.

Quotes

Vulnerability in WordFence SEOPress

National vulnerability database entry on the issue SEOPress-stored cross-site scripting issue

WordPress REST API Guide

    Leave Your Comment

    Your email address will not be published.*