Skip to main content

Geo Plugin By Squirrly Seo

1 CVEs product

Monthly

CVE-2026-1667 HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS Geo Plugin By Squirrly Seo
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy