WordPress SEOPress Plugin XSS vulnerability
Wordfence, a WordPress security software company, has released details of a vulnerability in the popular WordPress SEO software SEOPress. Before the announcement, WordFence shared the details of the vulnerability with the publishers of SEOPress, who immediately fixed the problem and released a patch to fix it.
According to WordFence:
“This bug allowed an attacker to inject arbitrary web scripts on a vulnerable website that would run every time a user accesses the All Posts page.”
The US government’s National Vulnerability Database website listed the Wordfence-provided CNA (CVE Numbering Authority) rating for the SEOPress vulnerability as a medium rating and a score of 6.4 on a scale of 1 to 10.
The list of vulnerabilities is categorized as:
“Improper neutralization of inputs during website creation (” cross-site scripting “)”
The vulnerability affects SEOPress versions 5.0.0 – 5.0.3.
What is the SEOPress vulnerability?
The official SEOPress changelog did not actually describe the vulnerability or reveal that there is a security vulnerability.
This is not a criticism of SEOPress, I just note that SEOPress has vaguely described the problem:
“INFO Strengthening security (thanks to Wordfence)”
Screenshot from SEOPress changelog
The problem affecting SEOPress allows any authenticated user who only has a subscriber’s credentials to update the title and description of each post. Because this input was unsafe, as it was not properly sanitized for scripts and other unintentional uploads, an attacker could upload malicious scripts that could then be used as part of a cross-site scripting attack.
Although the National Vulnerability Database has rated this vulnerability as medium (possibly because the vulnerability affects websites that allow user registrations such as subscribers), WordFence warns that an attacker could “easily” take over a vulnerable website under the circumstances listed.
WordFence said this about the cross-site scripting (XSS) vulnerability:
“… Cross-site scripting vulnerabilities like this one can lead to a variety of malicious actions like new administrator account creation, webshell injection, arbitrary redirects, and more.”
Cross Site Scripting (XSS) vulnerability attack vectors are usually in areas where someone can enter data. Anywhere someone can enter information, such as on a contact form, is a potential source of an XSS security vulnerability.
Software developers are supposed to “clean up” the entries, that is, they should check that the entries are nothing unexpected.
REST API input unsafe
This particular vulnerability concerned the input in connection with the input of the title and description of an article. Specifically, it concerned the so-called WordPress REST API.
The WordPress REST API is an interface that enables WordPress plugins to interact with WordPress.
Using the REST API, a plugin can interact with a WordPress site and modify the web pages.
The WordPress documentation describes it like this:
“With the WordPress REST API you can create a plugin to provide a completely new admin experience for WordPress, create a brand new interactive front-end experience or bring your WordPress content into completely separate applications.”
According to WordFence, the SEOPress WordPress REST API endpoint was implemented in an insecure way because the plugin did not properly clean up the inputs through this method.
Announcement of the WordFence SEOPress vulnerability
Entry in the National Vulnerability Database on the topic of SEOPress Stored Cross-Site-Scripting
WordPress REST API manual