About

XSS vulnerability on SEOPress WordPress Plugin

Seopress plugin is frequently used as an SEO plugin on WordPress websites. It is deployed on over 100,000 websites. An XSS or cross-site scripting vulnerability was found on the site on 29th July, in the way it allowed the use of Rest API for making changes in the SEO meta title and description tags while editing the blog post. This left a security gap, wherein a remote user could use the flaws in the implementation of Rest API based processing to compromise the WordPress website.

Cross-site scripting would allow a hacker to create new users with administrative privileges and creation of remote web shells for remote code execution. Entire website can be taken over by the hackers using the XSS vulnerability on the site. This vulnerability has been reported under the CVE-2021-34641. The details about the vulnerability can be found on the Wordfence site.

Wordfence found the vulnerability for the first time on 29th July and it has provided mitigation rules for pro-users of the Wordfence security plugin. Free users of the Wordfence plugin are allowed free mitigation until 28th August, 2021 i.e. for a period of one month from the original date of detection of the vulnerability.

The developers of the SeoPress plugin have since resolved the XSS vulnerability in the latest version of plugin -SeoPress 5.0.4. This release was launched on 4th August, one week after the detection of XSS vulnerability on the plugin. Although the company has patched the cross-site scripting vulnerability as part of the SeoPress 5.04 plugin update, it remains to be seen of all the 100,000 WordPress sites have patched the latest security release on the website. We advise all the SEOPress users to update the WordPress plugin to version 5.0.4.