Share this article:
The bug would allow a number of malicious actions, up to and including full site takeover. The vulnerable plugin is installed on 100,000 websites.
A stored cross-site scripting (XSS) vulnerability in the SEOPress WordPress plugin could allow attackers to inject arbitrary web scripts into websites, researchers said.
SEOPress is a search engine optimization (SEO) tool that lets site owners manage SEO metadata, social-media cards, Google Ad settings and more. It’s installed on more than 100,000 sites.
“One feature the plugin implements is the ability to add a SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint,” researchers at Wordfence said in a Monday blog post. “Unfortunately, this REST-API endpoint was insecurely implemented.”
The bug (CVE-2021-34641) allows any authenticated user, like a subscriber, to call the REST route with a valid nonce, and to update the SEO title and description for any post.
“The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request,” according to the posting. “A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action.”
Depending on what an attacker updates the title and description to, it would allow a number of malicious actions, up to and including full site takeover, researchers said.
To protect their websites, users should upgrade to version 5.0.4 of SEOPress.
Vulnerabilities in WordPress plugins remain fairly common. For instance, in July six critical flaws were disclosed that affected the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites.
Earlier in the year, in March, The Plus Addons for Elementor plugin for WordPress was discovered to contain a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said that it was being actively attacked in the wild.
In February, an unpatched, stored XSS security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.
And in January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability that could be exploited by attackers to send out newsletters with custom content or to delete or import newsletter subscribers.
Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.
Share this article:
Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations… https://t.co/iYq3WeTkbf
14 hours ago
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
Share this article: