WordPress Plugin Vulnerabilities

SEOPress 5.0.0 – 5.0.3 - Authenticated Stored Cross-Site Scripting

Description

The plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts.

Proof of Concept

Affects Plugins

Plugin icon
wp-seopress
Fixed in 5.0.4

References

CVE
CVE-2021-34641
URL
https://www.wordfence.com/blog/2021/08/xss-vulnerability-patched-in-seopress-affects-100000-sites/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
b88613a6-7321-409f-bba3-36450fb17724

Timeline

Publicly Published
2021-08-16 (about 4 years ago)
Added
2021-08-16 (about 4 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2026-01-09
Title
Shortcodes and extra features for Phlox theme < 2.17.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget
Published
2025-11-07
Title
Mang Board WP < 2.3.2 - Reflected Cross-Site Scripting
Published
2020-08-29
Title
Real Estate 7 < 3.0.5 - Unauthenticated Reflected XSS
Published
2025-04-09
Title
Aria Font <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-10-02
Title
Contractor Contact Form Website to Workflow Tool < 4.1.0 - Reflected XSS