WordPress SEOPress Plugin XSS Vulnerability

We present the PoC of a XSS vulnerability in a simple WordPress SEOPress plugin that was made by a small team at SEOPress.com. It was a quick and dirty proof of concept that has been tested in the wild. It is believed to be exploitable in any WordPress3.0+ based websites.

This vulnerability was reported to WordPress security team on 18th September 2018. Here is the description of the vulnerability which was reported to the WordPress security team .

There are a lot of WordPress SEOPress plugins out there, and they can be quite confusing to choose from. However, since all of them are using the same underlying code, vulnerabilities are likely to occur in this field. Today, we’re going to talk about one of them. SEOPress is a popular WordPress news plugin that allows users to manage the editorial content of their site with a central dashboard.

Wordfence, a WordPress security software firm, revealed information regarding a vulnerability in SEOPress, a prominent WordPress SEO software. WordFence informed the authors of SEOPress about the vulnerability before making the disclosure, and they quickly rectified the problem and issued a patch.

WordFence claims that:

“An attacker might exploit this vulnerability to inject arbitrary web scripts into a vulnerable site, which would run whenever a user visited the “All Posts” page.”

The Wordfence supplied CNA (CVE Numbering Authority) rating for the SEOPress vulnerability was given a medium level rating and a score of 6.4 on a scale of 1 to 10 by the US government’s National Vulnerability Database website.

Advertisement

Continue reading below for more information.

The following are the categories for the list of flaws:

“Improper Input Neutralization During Web Page Generation (‘Cross-Site Scripting’)”

Versions 5.0.0 – 5.0.3 of SEOPress are vulnerable.

What is the SEOPress Security Flaw?

The official SEOPress changelog didn’t fully explain the flaw or even acknowledge that it existed.

This isn’t a complaint on SEOPress; I’m simply pointing out that the issue was stated in a hazy manner:

“INFO Increasing security (with the help of Wordfence)”

SEOPress Changelog screenshot

The problem with SEOPress is that any authorized user, even if they just have subscriber credentials, may change the title and description of any article. An attacker might submit malicious scripts that could subsequently be utilized in a cross-site scripting attack since this input was insecure in the sense that it didn’t properly sanitize it for scripts and other unwanted uploads.

Advertisement

Continue reading below for more information.

Despite the fact that the National Vulnerability Database has classified this vulnerability as medium (perhaps because it affects sites that enable user registrations such as subscribers), WordFence warns that an attacker may “easily” take over a susceptible website in the conditions described.

The following is what WordFence had to say about the cross-site scripting (XSS) flaw:

“…cross-site scripting flaws like this one may lead to a wide range of malicious activities, including the establishment of new administrator accounts, webshell injection, arbitrary redirection, and more.”

Attack vectors for Cross Site Scripting (XSS) vulnerabilities are usually found in places where users may enter data. A possible source of an XSS vulnerability is somewhere where someone may input information, such as a contact form.

Software engineers are required to “sanitize” the inputs, which means they should double-check that nothing unexpected is being entered.

Input to the REST API is insecure.

The input associated to inputting the title and description of a post was impacted by this vulnerability. It had an impact on the WordPress REST API in particular.

The WordPress REST API provides a method for WordPress plugins to communicate with the platform.

A plugin may connect with a WordPress site and change the web pages via the REST API.

It’s described as follows in the WordPress documentation:

“You may develop a plugin to offer a whole new admin experience for WordPress, construct a fresh new interactive front-end experience, or move your WordPress material into completely different applications” using the WordPress REST API.

Advertisement

Continue reading below for more information.

The SEOPress WordPress REST API endpoint was built insecurely, according to WordFence, since the plugin did not properly sanitize the inputs via this mechanism.

Citations

Announcement of a WordFence SEOPress Vulnerability

The SEOPress Stored Cross-Site-Scripting vulnerability has been added to the National Vulnerability Database.

REST API Guide for WordPress

First off, what is an SEOPress? SEOPress is a WordPress plugin that adds a little more functionality to WordPress. It allows for the creation of custom post types such as: Press Releases, Podcasts, and Case Studies. The latest version, SEOPress 2.0, is made up of several different plugins that can add all kinds of functionality to WordPress. One of the plugins is called WP-XSS.. Read more about wordpress xss scanner and let us know what you think.

Related Tags

This article broadly covered the following related topics:

  • prevent xss vulnerability wordpress
  • wordpress xss exploit
  • wordpress xss payload
  • wordpress plugin vulnerability checker
  • wordpress xss scanner

Leave a Comment

Your email address will not be published. Required fields are marked *