Stored Cross-Site Scripting in SEOPress SEO Plugin for WordPress
CVE-2024-2165

6.4MEDIUM

Key Information:

Vendor
Wordpress
Vendor
CVE Published:
9 April 2024

Summary

The SEOPress plugin for WordPress has a vulnerability that allows authenticated attackers to exploit Stored Cross-Site Scripting through inadequate input sanitization of the image alt parameter. This flaw affects all versions up to and including 7.5.2.1. Attackers with author-level access or higher can inject malicious scripts into web pages, which will execute in the browser of any user who visits the compromised page, potentially leading to unauthorized data access or session hijacking.

Affected Version(s)

SEOPress – On-site SEO * <= 7.5.2.1

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ngô Thiên An
Son Tran
.