According to a recent blog post from Wordfence, an XSS (cross-site scripting) vulnerability was recently patched for SEOPress. SEOPress is a WordPress plugin that seeks to optimize SEO for owners of WordPress sites. It does so through a multidimensional approach that utilizes metadata, schemas, and other predominant SEO techniques. This popular plugin is used on more than 100,000 WordPress sites, which could have easily been in trouble had the XSS vulnerability not been patched. WordPress has been battling vulnerabilities in plugins continually.
Wordfence describes the WordPress SEOPress vulnerability as follows:
One feature the plugin implements is the ability to add a SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint... Unfortunately, this REST-API endpoint was insecurely implemented. The
permissions_callbackfor the endpoint only verified if the user had a valid REST-API nonce in the request. A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action. This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.
Wordfence first noticed this issue, namely that malicious scripts could be injected via the REST-API endpoint, back in July. They notified the SEOPress developers at the end of the month, who then set out to fix the vulnerability (CVE-2021-34641), which officially has a Common Vulnerability Scoring System score of 6.4 (medium).
The current patch is now listed as 5.0.4. This vulnerability affects SEOPress users on the following versions: 5.0.0, 5.0.1, 5.0.2, and 5.0.3. Some users are avoiding the 5.x version of SEOPress due to bugs. As such, they are still using the most recent 4.x version of the plugin. In response to a concerned 4.x user commenting on the blog, Wordfence said, “This vulnerability does not affect any versions prior to 5.0.0, so the 4.x versions are not vulnerable to this.”
Any users who do use 5.0.0-5.0.3 of SEOPress should patch immediately.
Featured image: Wikimedia Commons / Lisa Risager