Security issue in CMS add-on has been patched
The flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site, which would execute anytime a user accessed the ‘All Posts’ page.
The vulnerable plugin, SEOPress, is installed on more than 100,000 websites.
Researcher Chloe Chamberland, threat analyst at Wordfence, explained the security issue in a blog post.
One of the features available in SEOPress is the ability to add an SEO title and description to posts, which can be done while saving edits to a post or via a newly introduced REST-API endpoint, Chamerland explains.
“Unfortunately, this REST-API endpoint was insecurely implemented,” the researcher wrote.
“The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request.
“A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action.
“This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.”
The payload could include malicious web scripts due to a lack of sanitization or escaping on the stored parameter, which would execute any time a user accessed the ‘All Posts’ page.
Chamberland warned: “As always, XSS vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects, and more.
“This vulnerability could easily be used by an attacker to take over a WordPress site.”
The issue has been patched by WordPress, and is fixed in version 5.0.4. It is recommended that users update the plugin immediately.
The Daily Swig has reached out to Wordfence for more comment and will update this article accordingly.
YOU MAY ALSO LIKE WordPress 5.8 update extends Site Health interface for developers