Arbitrary Post Creation and XSS Vulnerabilities in Squirrly SEO for WordPress
CVE-2026-1667
7.2HIGH
What is CVE-2026-1667?
The Squirrly SEO plugin for WordPress is exposed to serious security flaws due to an API token leak and inadequate data sanitization. Unauthenticated attackers can exploit these weaknesses to create arbitrary posts. Additionally, if the Advanced Custom Fields plugin is active, attackers can inject malicious scripts that execute in the context of users visiting affected pages, potentially compromising site integrity and user security.
Affected Version(s)
GEO Plugin by Squirrly SEO 0 <= 14.0.0