Skip to main content

Squirrly SEO Plugin CVE-2024-6497

HIGH
SQL Injection (CWE-89)
2024-07-20 security@wordfence.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 08, 2026 - 19:39 nvd
Patch available
PoC Detected
Apr 08, 2026 - 19:22 vuln.today
Public exploit code
CVE Published
Jul 20, 2024 - 09:15 nvd
HIGH 8.8

DescriptionCVE.org

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-43286 appears to be a duplicate of this issue.

AnalysisAI

Stored Cross-Site Scripting in the SEO Plugin by Squirrly SEO for WordPress (versions up to and including 12.3.19) allows Contributor-level authenticated users to inject arbitrary JavaScript via the 'url' parameter, executing in browsers of any user who views the affected page. Publicly available exploit code exists and EPSS scores this in the 96th percentile (22.89%) for likelihood of exploitation, though it is not currently listed in CISA KEV. Note that the assigned CWE-89 (SQL Injection) appears inconsistent with the description, which clearly describes Stored XSS (CWE-79).

Technical ContextAI

The vulnerability resides in the Squirrly SEO plugin (CPE cpe:2.3:a:squirrly:seo_plugin_by_squirrly_seo), a popular WordPress SEO optimization extension. The root cause is insufficient input sanitization and output escaping on the 'url' parameter, allowing attacker-supplied data to be stored in the database and later rendered into pages without encoding. While the CWE is labeled CWE-89 (SQL Injection) and tags include 'SQLi', the description characterizes this as Stored XSS - typically CWE-79 - suggesting either a CWE misclassification by the reporter or that the underlying input flow also touches database operations. WordPress role-based access enables Contributors (a low-privilege content-creation role) to reach the vulnerable code path, which is significant because Contributor accounts are commonly granted on multi-author sites.

RemediationAI

Patch available per vendor advisory - upgrade the Squirrly SEO plugin to a version newer than 12.3.19 via the WordPress plugin manager (the exact fix version is not specified in the provided data; verify against the Wordfence advisory and the plugin's WordPress.org changelog before deployment). If immediate patching is not feasible, compensating controls include restricting the Contributor role from sites where it is not strictly required, requiring Editor or higher review before content publication so injected payloads cannot reach viewers, deactivating the Squirrly SEO plugin until the update is applied (which will remove SEO meta features and may regress search visibility), and deploying a WordPress-aware WAF rule (e.g., Wordfence) to filter script payloads in plugin endpoints, accepting the small risk of false positives blocking legitimate URL inputs.

Share

CVE-2024-6497 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy