The Squirrly SEO plugin, a popular tool for search engine optimization in WordPress, has been found to harbor a critical vulnerability, CVE-2024-10515. This flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability through the plugin’s SEO settings. By embedding malicious JavaScript code into the “Meta Keywords” field in the SEO Snippet settings, attackers can execute arbitrary scripts, leading to account takeover and backdoor creation. With over 100,000 active installations, this vulnerability poses a serious risk to WordPress sites using the plugin.
| CVE | CVE-2024-10515 |
| Plugin | SEO Plugin by Squirrly SEO < 12.3.21 |
| Critical | High |
| All Time | 4 121 856 |
| Active installations | 100 000+ |
| Publicly Published | October 25, 2024 |
| Last Updated | October 25, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10515 https://wpscan.com/vulnerability/367aad17-fbb5-48eb-8829-5d3513098d02/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| August 28, 2024 | Plugin testing and vulnerability detection in the SEO Plugin by Squirrly SEO have been completed |
| August 28, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 25, 2024 | Registered CVE-2024-10515 |
Discovery of the Vulnerability
During security testing of the Squirrly SEO plugin, it was discovered that the plugin fails to properly sanitize inputs in the “Meta Keywords” field within the SEO Snippet settings of a post. This lack of input validation allows attackers to inject malicious JavaScript into the field. When the settings are saved and the page is reloaded, the injected script is executed, leading to potential exploits. The issue is particularly severe because administrators and editors are often granted the unfiltered_html capability, which allows them to insert JavaScript into posts, pages, and comments.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most commonly exploited vulnerabilities in web applications, including WordPress. XSS vulnerabilities allow attackers to inject malicious scripts into trusted websites, which are then executed in the browsers of users who visit those sites. These vulnerabilities can be leveraged to steal sensitive information, perform unauthorized actions, or install malware. A notable example of XSS exploitation in WordPress occurred with plugins such as Contact Form 7 and Gravity Forms, where improper sanitization of user inputs led to widespread compromises. In this case, the Squirrly SEO plugin’s failure to sanitize the “Meta Keywords” field presents a similar threat, allowing attackers to execute malicious scripts in an environment trusted by website visitors and administrators.
Exploiting the XSS Vulnerability
To exploit the CVE-2024-10515 vulnerability, an attacker would need to create a new post within WordPress and modify the “Meta Keywords” field in the SEO Snippet settings. The attacker can insert a payload such as <img src=x onerror=alert(1)> into the field and save the settings. Upon reloading the page, the malicious script executes, potentially allowing the attacker to hijack the session, steal sensitive data, or escalate privileges. The fact that admins and editors can input unfiltered HTML further amplifies the risk, as they can inadvertently trigger this attack without realizing the danger.
POC:
You should create new Post. You should change "Meta Keywords" field in SEO Snippet settings inside post to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1) -> Save Settings and reload page (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The exploitation of this vulnerability could lead to serious consequences, including unauthorized account access, data theft, and the installation of backdoors on compromised sites. Attackers could hijack administrator sessions, create new accounts, or perform unauthorized actions on the site. In a real-world scenario, a website using Squirrly SEO could have its content manipulated, user data exposed, or spam emails sent through the compromised site. The attacker could also use the backdoor to gain persistent access to the site, leading to long-term security breaches and potential damage to the website’s reputation.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10515, users of the Squirrly SEO plugin should immediately update to the latest version once a patch is released. Site administrators should also consider restricting the unfiltered_html capability for non-admin users, ensuring that only trusted individuals can inject JavaScript into posts and pages. Regular security audits and the use of WordPress security plugins can help detect and block XSS attempts before they lead to successful exploitation. In addition, employing Content Security Policies (CSP) can reduce the impact of malicious scripts if they do get injected.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10515, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
