WordPress SEO Plugin by Squirrly SEO Plugin <= 12.1.10 is vulnerable to Arbitrary File Upload

Vulnerability

The Squirrly SEO plugin for WordPress (versions 12.1.10 and earlier) contains an arbitrary file upload vulnerability. An authenticated user with at least Contributor-level privileges can upload files without proper validation of file type or content, allowing the upload of executable scripts such as PHP files. The vulnerability resides in the plugin's file upload functionality, which fails to restrict the file extensions or sanitize the uploaded content.

Exploitation

An attacker must have a WordPress account with Contributor role or higher. The attacker can then navigate to the plugin's upload interface and select a malicious file (e.g., a PHP web shell). The plugin processes the upload without verifying the file type, storing the file in a web-accessible directory. No additional user interaction or race condition is required.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server. This can lead to full compromise of the WordPress site, including data theft, privilege escalation, and further attacks on the underlying server. The attacker gains the same privileges as the web server user.

Mitigation

The vulnerability is fixed in version 12.1.11 and later. The current stable version is 12.4.16 [1]. Users should update the plugin immediately via the WordPress admin dashboard or by downloading the latest version from the WordPress plugin repository. No workaround is available for unpatched versions.