SEOPress <= 5.0.0 – 5.0.3 Authenticated Stored Cross-Site Scripting
CVE-2021-34641

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Seopress
Vendor: CVE Published:; 16 August 2021

Summary

The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts, in versions 5.0.0 - 5.0.3.

Affected Version(s)

SEOPress 5.0.0

SEOPress 5.0.1

SEOPress 5.0.2

References

https://www.wordfence.com/blog/2021/08/xss-vulnerability-...

x_refsource_MISC

https://plugins.trac.wordpress.org/browser/wp-seopress/ta...

x_refsource_MISC

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Aug 16, 2021
Vulnerability Reserved
Jun 10, 2021

Credit

Chloe Chamberland, Wordfence