Skip to main content

Squirrly SEO CVE-2026-52714

| EUVDEUVD-2026-37050 MEDIUM
Missing Authorization (CWE-862)
2026-06-16 Patchstack GHSA-9qmf-rqj7-2pp7
5.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.9 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
5.9 MEDIUM

Network-accessible, unauthenticated broken access control with high complexity due to non-obvious endpoint; integrity-only impact with no confidentiality or availability effect confirmed.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 16, 2026 - 10:24 vuln.today
Severity Changed
Jun 16, 2026 - 10:22 NVD
HIGH MEDIUM
CVSS changed
Jun 16, 2026 - 10:22 NVD
7.5 (HIGH) 5.9 (MEDIUM)

DescriptionCVE.org

Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions.

AnalysisAI

Broken access control in SEO Plugin by Squirrly SEO version 12.4.16 and earlier allows unauthenticated remote attackers to perform unauthorized privileged actions, resulting in high integrity impact against affected WordPress installations. The flaw stems from missing authorization checks (CWE-862), permitting requests to restricted functionality without any credential validation. No public exploit code or active CISA KEV listing has been identified at time of analysis, though the CVSS high-complexity rating suggests exploitation requires meeting specific conditions beyond a simple direct request.

Technical ContextAI

The vulnerability exists in the SEO Plugin by Squirrly SEO WordPress plugin, identified under CPE cpe:2.3:a:seo_squirrly:seo_plugin_by_squirrly_seo:*:*:*:*:*:*:*:* covering all versions through 12.4.16. CWE-862 (Missing Authorization) is the root cause class, meaning the plugin exposes one or more privileged actions - such as modifying SEO settings, post metadata, or administrative configurations - via WordPress AJAX handlers, REST API endpoints, or admin-post hooks that fail to verify whether the requesting user holds the required capability or nonce. WordPress plugins are particularly prone to this class of flaw when developers register action hooks (wp_ajax_nopriv_ or REST routes with no permission_callback) without enforcing WordPress capability checks such as current_user_can(). The AC:H rating on the CVSS vector implies the exploit path is not trivially reliable and may require knowledge of a specific endpoint name, parameter format, or timing condition.

RemediationAI

Update the SEO Plugin by Squirrly SEO to a version beyond 12.4.16 via the WordPress plugin dashboard or by downloading the latest release from the WordPress plugin repository. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/squirrly-seo/vulnerability/wordpress-seo-plugin-by-squirrly-seo-plugin-12-4-16-broken-access-control-vulnerability should be consulted for the confirmed fixed version, as an exact patched release number was not independently verifiable from the available data. If immediate update is not feasible, consider temporarily deactivating the plugin to eliminate the attack surface, accepting the trade-off of losing SEO functionality. Alternatively, a web application firewall (WAF) rule targeting the specific vulnerable endpoint - identifiable from the Patchstack advisory - can block unauthorized requests without disabling the plugin entirely. Sites using the Patchstack WordPress security plugin may benefit from virtual patching rules published by Patchstack for this CVE.

Share

CVE-2026-52714 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy