Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Primary rating from Vendor (Wordfence) · only source for this CVE.
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to create arbitrary posts, and, if the Advanced Custom Fields plugin is installed and activated, inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: identify and disable or remove Squirrly SEO plugin (versions 14.0.0 and earlier) from all WordPress installations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42949
GHSA-x8f2-2f6r-99xx