SEO Plugin by Squirrly SEO < 12.3.21 – Editor+ Stored XSS | CVE 2024-10515 | Plugin Vulnerabilities

Description

In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor

Proof of Concept

1) Ensure the site is set up and connected to Squirrley SEO.
2) Create a new Post. If the site is connected properly, the "Live Assistant" should display correctly in the bottom right corner of the editor.
3) Type any title and any body of post.
4) Save Draft
5) Put "&lt;img src=x onerror=alert(1)&gt;" in "+ Add keyword" field
6) Click  on purple button "Save"
7) Reload the page of editor interface to trigger the XSS

Affects Plugins

Fixed in 12.3.21

References

CVE

URL

https://research.cleantalk.org/cve-2024-10515/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

367aad17-fbb5-48eb-8829-5d3513098d02

Timeline

Publicly Published

2024-10-30 (about 1 year ago)

Added

2024-10-30 (about 1 year ago)

Last Updated

2024-11-13 (about 1 year ago)

Other

Published

Title

Published

2022-07-11

Title

GiveWP < 2.21.3 - Admin+ Stored Cross-Site Scripting

Published

2025-02-24

Title

EZ InLinkz linkup <= 0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Responsive Logo Slideshow - URL & Image Field XSS

Published

2024-04-15

Title

WP Dynamic Keywords Injector < 2.3.22 - Reflected Cross-Site Scripting

Published

2015-05-06

Title

Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS)