Wordfence, a WordPress security software company, released information about a vulnerability in the popular WordPress SEO software SEOPress. Prior to making the announcement, Wordfence informed the publishers of SEOPress about the vulnerability, who quickly addressed the issue and published a patch to fix it.
According to Wordfence:
"This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the ‘All Posts’ page."
The United States government National Vulnerability Database website listed the Wordfence-provided CNA (CVE Numbering Authority) rating for the SEOPress vulnerability as a medium-level rating and a score of 6.4 on a scale of 1 to 10.
The weakness enumeration is categorized as:
"Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)"
The vulnerability affects SEOPress versions 5.0.0 – 5.0.3.
What is the SEOPress Vulnerability?
The official SEOPress changelog did not clearly describe the vulnerability or disclose that there was a vulnerability. This isn’t a criticism of SEOPress, just an observation that SEOPress described the problem in vague terms:
"INFO Strengthening security (thanks to Wordfence)"
The issue affecting SEOPress allows any authenticated user, with credentials as low as a subscriber, to update the title and description of any post. Because this input was insecure and didn’t properly sanitize the input for scripts and other unintended uploads, an attacker could upload malicious scripts that could be used as part of a cross-site scripting attack.
Although the National Vulnerability Database rates this vulnerability as medium (possibly because it affects sites that allow user registrations like subscribers), Wordfence warns that an attacker could "easily" take over a vulnerable website under the listed circumstances.
Wordfence stated the following about the cross-site scripting (XSS) vulnerability:
"…cross-site scripting vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, webshell injection, arbitrary redirects, and more.”
Cross-site scripting (XSS) vulnerabilities typically occur in areas where someone can input data. Any place where an individual can enter information, such as a contact form, is a potential source of an XSS vulnerability. Software developers are supposed to "sanitize" the inputs, checking that the input is not something unexpected.
REST API Input Insecure
This particular vulnerability affected the input related to entering the title and description of a post, specifically involving the WordPress REST API.
The WordPress REST API is an interface that allows WordPress plugins to interact with WordPress. With the REST API, a plugin can interact with a WordPress site and modify web pages.
The WordPress documentation describes it like this:
"Using the WordPress REST API you can create a plugin to provide an entirely new admin experience for WordPress, build a brand new interactive front-end experience, or bring your WordPress content into completely separate applications.”
According to Wordfence, the SEOPress WordPress REST API endpoint was implemented insecurely, in that the plugin did not properly sanitize the inputs through this method.
Citations
- Wordfence SEOPress Vulnerability Announcement
- National Vulnerability Database entry on the SEOPress Stored Cross-Site-Scripting issue
- WordPress REST API Handbook
