Business

XSS vulnerability in popular WordPress plugin SEOPress could enable complete site takeover

Published

on

cross-site scripting (XSS) vulnerability in a popular WordPress plugin could allow an attacker to completely take over a website, researchers have warned.

The flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site, which would execute anytime a user accessed the ‘All Posts’ page.

The vulnerable plugin, SEOPress, is installed on more than 100,000 websites.

Researcher Chloe Chamberland, threat analyst at Wordfence, explained the security issue in a blog post.

Insecure implementation

One of the features available in SEOPress is the ability to add an SEO title and description to posts, which can be done while saving edits to a post or via a newly introduced REST-API endpoint, Chamerland explains.

“Unfortunately, this REST-API endpoint was insecurely implemented,” the researcher wrote.

“The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request.

“A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action.

“This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.”

The payload could include malicious web scripts due to a lack of sanitization or escaping on the stored parameter, which would execute any time a user accessed the ‘All Posts’ page.

Chamberland warned: “As always, XSS vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects, and more.

“This vulnerability could easily be used by an attacker to take over a WordPress site.”

Update now

The issue has been patched by WordPress, and is fixed in version 5.0.4. It is recommended that users update the plugin immediately.

The Daily Swig has reached out to Wordfence for more comment and will update this article accordingly.

Source: https://portswigger.net/daily-swig/xss-vulnerability-in-popular-wordpress-plugin-seopress-could-enable-complete-site-takeover

Click to comment
Exit mobile version