WordPress Plugin Vulnerabilities

SEO Backlinks <= 4.0.1 - CSRF to Stored XSS

Description

The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1.

Proof of Concept

Affects Plugins

Plugin icon
seo-backlinks
No known fix

References

CVE
CVE-2021-34632
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34632

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Takahiro Yamashita
Submitter
Wordfence
Submitter website
https://wordfence.com
Verified
Yes
WPVDB ID
7cfefcc9-adbf-4afc-b25f-92f417650359

Timeline

Publicly Published
2021-07-28 (about 4 years ago)
Added
2021-07-28 (about 4 years ago)
Last Updated
2022-02-24 (about 4 years ago)

Other

Published
Title
Published
2024-04-22
Title
WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress < 3.1.4 - Cross-Site Request Forgery
Published
2025-04-25
Title
wp-cyr-cho <= 0.1 - Cross-Site Request Forgery
Published
2025-09-22
Title
WorkScout-Core < 1.7.06 - Cross-Site Request Forgery
Published
2025-04-04
Title
Freetobook Responsive Widget < 1.1.1 - Cross-Site Request Forgery
Published
2025-12-31
Title
Simple Archive Generator <= 5.2 - Cross-Site Request Forgery