WordPress Plugin Vulnerabilities

SEO Plugin by Squirrly SEO < 11.1.12 - Reflected Cross-Site Scripting

Description

The plugin does not escape the type parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
squirrly-seo
Fixed in 11.1.12

References

CVE
CVE-2021-25019

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
cea0ce4b-886a-47cc-8653-a297e9759d09

Timeline

Publicly Published
2022-02-28 (about 3 years ago)
Added
2022-02-28 (about 3 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2014-08-01
Title
PictureFactory - Unspecified XSS
Published
2019-06-26
Title
WP Ultimate Recipe <= 3.12.6 - Authenticated Stored XSS
Published
2025-03-31
Title
Ethiopian Calendar <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-13
Title
The Permalinker < 1.9.0 - Contributor+ Stored XSS
Published
2025-06-05
Title
HT Team Member < 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting