Stored Cross-Site Scripting in DELUCKS SEO Plugin for WordPress
CVE-2019-25146

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Delucks Seo
Vendor: CVE Published:; 7 June 2023

What is CVE-2019-25146?

The DELUCKS SEO plugin for WordPress is susceptible to Stored Cross-Site Scripting through the saveSettings() function, which lacks proper capability checks. This vulnerability arises from inadequate input sanitization and output escaping, enabling unauthenticated attackers to inject arbitrary web scripts. The malicious scripts can execute whenever a victim accesses affected pages, posing significant security risks for website integrity and user safety. The issue affects all versions of the plugin up to and including 2.1.7.

Affected Version(s)

DELUCKS SEO * <= 2.1.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://blog.nintechnet.com/vulnerability-in-the-wordpres...

https://plugins.trac.wordpress.org/changeset/2161211

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Jun 6, 2023

Credit

Jerome Bruandet