Squirrly SEO Plugin CVE-2024-6497
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-43286 appears to be a duplicate of this issue.
AnalysisAI
Stored Cross-Site Scripting in the SEO Plugin by Squirrly SEO for WordPress (versions up to and including 12.3.19) allows Contributor-level authenticated users to inject arbitrary JavaScript via the 'url' parameter, executing in browsers of any user who views the affected page. Publicly available exploit code exists and EPSS scores this in the 96th percentile (22.89%) for likelihood of exploitation, though it is not currently listed in CISA KEV. Note that the assigned CWE-89 (SQL Injection) appears inconsistent with the description, which clearly describes Stored XSS (CWE-79).
Technical ContextAI
The vulnerability resides in the Squirrly SEO plugin (CPE cpe:2.3:a:squirrly:seo_plugin_by_squirrly_seo), a popular WordPress SEO optimization extension. The root cause is insufficient input sanitization and output escaping on the 'url' parameter, allowing attacker-supplied data to be stored in the database and later rendered into pages without encoding. While the CWE is labeled CWE-89 (SQL Injection) and tags include 'SQLi', the description characterizes this as Stored XSS - typically CWE-79 - suggesting either a CWE misclassification by the reporter or that the underlying input flow also touches database operations. WordPress role-based access enables Contributors (a low-privilege content-creation role) to reach the vulnerable code path, which is significant because Contributor accounts are commonly granted on multi-author sites.
RemediationAI
Patch available per vendor advisory - upgrade the Squirrly SEO plugin to a version newer than 12.3.19 via the WordPress plugin manager (the exact fix version is not specified in the provided data; verify against the Wordfence advisory and the plugin's WordPress.org changelog before deployment). If immediate patching is not feasible, compensating controls include restricting the Contributor role from sites where it is not strictly required, requiring Editor or higher review before content publication so injected payloads cannot reach viewers, deactivating the Squirrly SEO plugin until the update is applied (which will remove SEO meta features and may regress search visibility), and deploying a WordPress-aware WAF rule (e.g., Wordfence) to filter script payloads in plugin endpoints, accepting the small risk of false positives blocking legitimate URL inputs.
More in Seo Plugin By Squirrly Seo
View allImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Squirrly SEO Plugi
Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch
In the process of testing the SEO Plugin by Squirrly SEO WordPress plugin before 12.3.21, a vulnerability was found that
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Squirrly SEO Plugi
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to blind SQL Injection via the 'search' parameter in a
Missing Authorization vulnerability in Squirrly SEO Plugin by Squirrly SEO.1.20. Rated medium severity (CVSS 6.3), this
Broken access control in SEO Plugin by Squirrly SEO version 12.4.16 and earlier allows unauthenticated remote attackers
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in a
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today