WordPress SEO Plugin by Squirrly SEO Plugin <= 12.1.20 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

The Squirrly SEO Plugin by Squirrly SEO (squirrly-seo) versions up to and including 12.1.20 contain an unauthenticated reflected Cross-Site Scripting (XSS) vulnerability [1]. The flaw exists in the plugin’s handling of unsanitized input, which can be triggered without authentication. Reflected XSS occurs when user-supplied data is immediately echoed back in a response without proper escaping or validation, enabling script injection in the context of the victim’s browser session.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in a query parameter or URL path that the vulnerable plugin processes and reflects without sanitization. No authentication is required; the attack relies on social engineering to convince a logged-in WordPress administrator or other user to click the link. Once the victim visits the crafted URL, the embedded script executes in their browser with the same origin privileges as the WordPress site.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, defacement, theft of cookies or credentials, redirection to malicious sites, or other actions within the context of the vulnerable WordPress site. Since the victim may be an administrator, the attacker could potentially escalate privileges by capturing admin session tokens or performing actions on behalf of the user.

Mitigation

The vulnerability is fixed in version 12.1.21 and later of the Squirrly SEO Plugin [1]. Users should update immediately to the latest version (12.4.16 as of the reference) to remediate the issue. If immediate update is not possible, apply a web application firewall (WAF) rule that blocks reflected XSS patterns, though this is not a complete fix. No workaround short of updating is provided by the vendor. The plugin is actively maintained and supported.