XSS vulnerability patched in SEOPress, a WordPress Plugin installed on over 100,000 sites.

The flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the “All Posts” page.

SEOPress is a WordPress plugin designed to optimize the SEO of WordPress sites through many different features, like the ability to add SEO meta-data, breadcrumbs, schemas, and more. One feature the plugin implements is the ability to add an SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint.

register_rest_route('seopress/v1', '/posts/(?P<id>\d+)/title-description-metas', [
    'methods'             => 'PUT',
    'callback'            => [$this, 'processPut'],
    'args'                => [
        'id' => [
            'validate_callback' => function ($param, $request, $key) {
                return is_numeric($param);

Unfortunately, this REST-API endpoint was insecurely implemented. The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request. A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action. This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.

Buy Me A Coffee
'permission_callback' => function ($request) {
    $nonce = $request->get_header('x-wp-nonce');
    if ( ! wp_verify_nonce($nonce, 'wp_rest')) {
        return false;
    return true;

The payload could include malicious web scripts, like JavaScript, due to a lack of sanitization or escaping on the stored parameters. These web scripts would then execute any time a user accessed the “All Posts” page. As always, cross-site scripting vulnerabilities such as this one can lead to a variety of malicious actions like new administrative account creation, web shell injection, arbitrary redirects, and more. This vulnerability could easily be used by an attacker to take over a WordPress site.

Is Russia Banning VPNs? New Restrictions Loom

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a vulnerability that can lead to a full site takeover.