Today the Squirrly SEO team released version 6.1.5 of their WordPress plugin, fixing two security vulnerabilities. They have over 20,000 active users according to Panagiotis Vagenas, Security Analyst here at Wordfence discovered the vulnerabilities. Details were shared with the author and firewall rules were added to the Wordfence Threat Defense Feed on Friday. The path traversal and privilege escalation vulnerabilities impact versions 6.1.4 and older. Vulnerability 1: Privilege Escalation CVSS Severity: 8.8 (High) This vulnerability allows an attacker to modify plugin settings on a site with registration enabled. On a stand-alone basis the value to an attacker is relatively low, enabling them to do things like add or change the site favicon, upload featured images for posts or retrieve SEO settings for a post. As you’ll see below, the real danger with this vulnerability is when it is used in conjunction with another. Vulnerability 2: Path Traversal CVSS Severity: 8.1 (High) This vulnerability allows an attacker to download any file from a WordPress server, including the wp-config.php file. That file includes database credentials for the website and other information
Share This