Nasty WordPress plugin bug puts 100,000 sites at risk

Security researchers urge SEOPress plugin users to update to the latest release

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A cross-site scripting (XSS) flaw discovered in the SEOPressWordPress plugincould allow attackers to inject arbitrary web scripts into vulnerable installations and take over websites.

SEOPress is a popularSEO pluginthat’s designed specifically for websites that runWordPressand used across roughly 100,000 sites.

The flaw was discovered by WordPress security experts atWordfence,who brought it to the attention of the plugin developer last month.

“One feature the plugin implements is the ability to add aSEOtitle and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint. Unfortunately, this REST-API endpoint was insecurely implemented,” wroteChloe Chamberland, Threat Analyst at Wordfence.

Malicious payloads

Malicious payloads

Chamberland opines that cross-site scripting vulnerabilities such as the one discovered in SEOPress can be exploited to execute various malicious actions, such as the creation of new administrative accounts, webshell injection, arbitrary redirects, and could even enable an attacker to take over aWordPress website.

Sharing technical details about the vulnerability, Chamberland writes that it could be exploited by any authenticated user, such as a regular subscriber, to update the SEO title and description for any post.

“The payload could include malicious web scripts, likeJavaScript, due to a lack of sanitization or escaping on the stored parameters,” says Chamberland, adding that these scripts would execute every time a user accesses the “All Posts” page.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This flaw has been fully patched in version SEOPress v5.0.4, and Wordfence urges all users of the plugin to update their installations.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Squarespace just launched its biggest update ever. I asked what that means for your business

Shopify just made it easier to access all your financial tools in one place

Steps to take when your phone number is publicly listed online