Critical vulnerability in SEOPress WordPress plugin allows hacking 100,000 WordPress websites

Cybersecurity specialists report the detection of a cross-site scripting (XSS) vulnerability in SEOPress, a popular WordPress plugin for search engine optimization (SEO), allowing webmasters to manage SEO metadata, social media cards, Google Ads settings and other useful features. Currently this plugin has more than 100 thousand active installations, so this report should be taken seriously.

Apparently, one of the features implemented by this plugin is the ability to add an SEO title and description to a post, which can be done while saving edits to a post or using a newly implemented REST-API endpoint. This endpoint is mishandled, resulting in the vulnerability.

Tracked as CVE-2021-34641, the vulnerability allows any authenticated user (including subscribers) to call the REST path with a valid nonce and update the SEO title and description for any post: “Any authenticated user can generate a valid REST-API nonce using the WordPress core rest-nonce AJAX action,” the report states.

Depending on what a threat actor updates in the title and description, the attack would allow a number of malicious actions, including website hijacking: “XSS flaws can lead to all sorts of malicious activities, including the creation of new administrator accounts, webshell injection, redirection to malicious websites, and other attacks.”

For security reasons, users of affected deployments are encouraged to upgrade to v5.0.4, the latest version of SEOPress.

Security flaws in WordPress plugins remain a recurring issue for website owners. A couple of weeks ago a report was published detailing the discovery of six vulnerabilities in the most recent versions of Front File Manager, an active plugin on more than 2 thousand websites.

Another report published last March pointed to the detection of multiple flaws in Elementor Plus Addons, including a critical vulnerability that would allow threat actors to take control of websites relatively easily. The cybersecurity community recorded multiple attempts to exploit this flaw in real-world scenarios.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.