A cross-site scripting (XSS) vulnerability in a popular WordPress plugin could allow an attacker to completely take over a website, researchers have warned.
The flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site, which would execute anytime a user accessed the ‘All Posts’ page.
One of the features available in SEOPress is the ability to add an SEO title and description to posts, which can be done while saving edits to a post or via a newly introduced REST-API endpoint, Chamerland explains.
“This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.”
The payload could include malicious web scripts due to a lack of sanitization or escaping on the stored parameter, which would execute any time a user accessed the ‘All Posts’ page.
Chamberland warned: “As always, XSS vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects, and more.