Stored Cross-Site Scripting in SEOPress SEO Plugin for WordPress
CVE-2024-2165
6.4MEDIUM
Summary
The SEOPress plugin for WordPress has a vulnerability that allows authenticated attackers to exploit Stored Cross-Site Scripting through inadequate input sanitization of the image alt parameter. This flaw affects all versions up to and including 7.5.2.1. Attackers with author-level access or higher can inject malicious scripts into web pages, which will execute in the browser of any user who visits the compromised page, potentially leading to unauthorized data access or session hijacking.
Affected Version(s)
SEOPress – On-site SEO * <= 7.5.2.1
References
CVSS V3.1
Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Ngô Thiên An
Son Tran