WordPress Plugin Vulnerabilities

SEO Plugin by Squirrly SEO < 12.3.16 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
squirrly-seo
Fixed in 12.3.16

References

CVE
CVE-2024-0597
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a61a8d8b-f22f-4a16-95f6-6cf52cf545ad

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Akbar Kustirama
Verified
No
WPVDB ID
637cb54b-ba46-4e11-8610-227bfb2e6795

Timeline

Publicly Published
2024-01-29 (about 2 years ago)
Added
2024-01-31 (about 2 years ago)
Last Updated
2024-01-31 (about 2 years ago)

Other

Published
Title
Published
2024-09-16
Title
Geo Mashup < 1.13.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-06
Title
Gutentor < 3.4.4 - Contributor+ Stored XSS
Published
2026-02-02
Title
Unlimited Elements for Elementor < 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget
Published
2025-10-29
Title
Easy Invoice < 2.1.0 - Unauthenticated Stored Cross-Site Scripting
Published
2022-03-23
Title
Simple Event Planner < 1.5.5 - Contributor+ Stored XSS