Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Network-accessible, unauthenticated broken access control with high complexity due to non-obvious endpoint; integrity-only impact with no confidentiality or availability effect confirmed.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions.
AnalysisAI
Broken access control in SEO Plugin by Squirrly SEO version 12.4.16 and earlier allows unauthenticated remote attackers to perform unauthorized privileged actions, resulting in high integrity impact against affected WordPress installations. The flaw stems from missing authorization checks (CWE-862), permitting requests to restricted functionality without any credential validation. No public exploit code or active CISA KEV listing has been identified at time of analysis, though the CVSS high-complexity rating suggests exploitation requires meeting specific conditions beyond a simple direct request.
Technical ContextAI
The vulnerability exists in the SEO Plugin by Squirrly SEO WordPress plugin, identified under CPE cpe:2.3:a:seo_squirrly:seo_plugin_by_squirrly_seo:*:*:*:*:*:*:*:* covering all versions through 12.4.16. CWE-862 (Missing Authorization) is the root cause class, meaning the plugin exposes one or more privileged actions - such as modifying SEO settings, post metadata, or administrative configurations - via WordPress AJAX handlers, REST API endpoints, or admin-post hooks that fail to verify whether the requesting user holds the required capability or nonce. WordPress plugins are particularly prone to this class of flaw when developers register action hooks (wp_ajax_nopriv_ or REST routes with no permission_callback) without enforcing WordPress capability checks such as current_user_can(). The AC:H rating on the CVSS vector implies the exploit path is not trivially reliable and may require knowledge of a specific endpoint name, parameter format, or timing condition.
RemediationAI
Update the SEO Plugin by Squirrly SEO to a version beyond 12.4.16 via the WordPress plugin dashboard or by downloading the latest release from the WordPress plugin repository. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/squirrly-seo/vulnerability/wordpress-seo-plugin-by-squirrly-seo-plugin-12-4-16-broken-access-control-vulnerability should be consulted for the confirmed fixed version, as an exact patched release number was not independently verifiable from the available data. If immediate update is not feasible, consider temporarily deactivating the plugin to eliminate the attack surface, accepting the trade-off of losing SEO functionality. Alternatively, a web application firewall (WAF) rule targeting the specific vulnerable endpoint - identifiable from the Patchstack advisory - can block unauthorized requests without disabling the plugin entirely. Sites using the Patchstack WordPress security plugin may benefit from virtual patching rules published by Patchstack for this CVE.
More in Seo Plugin By Squirrly Seo
View allStored Cross-Site Scripting in the SEO Plugin by Squirrly SEO for WordPress (versions up to and including 12.3.19) allow
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Squirrly SEO Plugi
Auth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch
In the process of testing the SEO Plugin by Squirrly SEO WordPress plugin before 12.3.21, a vulnerability was found that
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Squirrly SEO Plugi
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to blind SQL Injection via the 'search' parameter in a
Missing Authorization vulnerability in Squirrly SEO Plugin by Squirrly SEO.1.20. Rated medium severity (CVSS 6.3), this
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in a
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37050
GHSA-9qmf-rqj7-2pp7