SEOPress < 7.8 – Contributor+ Stored XSS | CVE 2024-4899 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks.

Proof of Concept

As a contributor, create a new Post, at the bottom of the page put the following payload in the "SEO Title" field and save: ;&lt;img src=x onerror=alert(/XSS/)&gt;<

The XSS will be triggered upon saving, as well as when any user will edit the post

Affects Plugins

Fixed in 7.8

References

CVE

URL

https://research.cleantalk.org/cve-2024-4899/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmirtii Ignatyev

Submitter

Dmirtii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

15346ae9-9a29-4968-a6a9-81d1116ac448

Timeline

Publicly Published

2024-06-03 (about 1 year ago)

Added

2024-06-03 (about 1 year ago)

Last Updated

2024-06-03 (about 1 year ago)

Other

Published

Title

Published

2025-06-05

Title

Bellows Accordion Menu < 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-22

Title

SKT Blocks < 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-09-06

Title

User Submitted Posts < 20230902 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2014-04-25

Title

Ooorl <= 1.0.0 - XSS

Published

2025-03-11

Title

WP Last Modified <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting