Security issue in CMS add-on has been patched
A cross-site scripting (XSS) vulnerability in a popular WordPress plugin could allow an attacker to completely take over a website, researchers have warned.
The flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site, which would execute anytime a user accessed the ‘All Posts’ page.
The vulnerable plugin, SEOPress, is installed on more than 100,000 websites.
Researcher Chloe Chamberland, threat analyst at Wordfence, explained the security issue in a blog post.
Insecure implementation
One of the features available in SEOPress is the ability to add an SEO title and description to posts, which can be done while saving edits to a post or via a newly introduced REST-API endpoint, Chamerland explains.
“Unfortunately, this REST-API endpoint was insecurely implemented,” the researcher wrote.
“The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request.
“A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action.
“This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.”
RELATED Patchstack’s Oliver Sild on securing WordPress, one plugin vulnerability at a time
The payload could include malicious web scripts due to a lack of sanitization or escaping on the stored parameter, which would execute any time a user accessed the ‘All Posts’ page.
Chamberland warned: “As always, XSS vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects, and more.
“This vulnerability could easily be used by an attacker to take over a WordPress site.”
Update now
The issue has been patched by WordPress, and is fixed in version 5.0.4. It is recommended that users update the plugin immediately.
The Daily Swig has reached out to Wordfence for more comment and will update this article accordingly.
YOU MAY ALSO LIKE WordPress 5.8 update extends Site Health interface for developers
