Skip to main content

Geo Plugin By Squirrly Seo CVE-2026-1667

| EUVDEUVD-2026-42949 HIGH
Missing Authorization (CWE-862)
2026-07-10 Wordfence GHSA-x8f2-2f6r-99xx
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from Vendor (Wordfence) · only source for this CVE.

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 17:31 vuln.today
CVE Published
Jul 10, 2026 - 16:32 nvd
HIGH 7.2

DescriptionCVE.org

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to create arbitrary posts, and, if the Advanced Custom Fields plugin is installed and activated, inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: identify and disable or remove Squirrly SEO plugin (versions 14.0.0 and earlier) from all WordPress installations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-1667 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy