Arbitrary Post Creation and XSS Vulnerabilities in Squirrly SEO for WordPress
CVE-2026-1667

7.2HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
10 July 2026

What is CVE-2026-1667?

The Squirrly SEO plugin for WordPress is exposed to serious security flaws due to an API token leak and inadequate data sanitization. Unauthenticated attackers can exploit these weaknesses to create arbitrary posts. Additionally, if the Advanced Custom Fields plugin is active, attackers can inject malicious scripts that execute in the context of users visiting affected pages, potentially compromising site integrity and user security.

Affected Version(s)

GEO Plugin by Squirrly SEO 0 <= 14.0.0

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio (Os)
.