SEO Plugin by Squirrly SEO <= 12.4.05 - Authenticated (Subscriber+) SQL Injection via search Parameter

Vulnerability

The SEO Plugin by Squirrly SEO for WordPress is vulnerable to blind SQL injection in all versions up to and including 12.4.05. The vulnerability exists in the handling of the 'search' parameter, where insufficient escaping on user-supplied input and lack of proper preparation on the existing SQL query allow an attacker to inject malicious SQL. The plugin is widely used for SEO management, and the vulnerable code path is reachable through the plugin's search functionality.

Exploitation

An attacker must be authenticated with at least Subscriber-level access to the WordPress site. By crafting a malicious 'search' parameter, the attacker can append additional SQL queries to existing ones. The attack is blind, meaning the attacker does not receive direct output but can infer information based on response timing or other side-channel signals. No special network position or user interaction beyond the attacker's own actions is required.

Impact

Successful exploitation allows the attacker to extract sensitive information from the WordPress database, such as user credentials, session tokens, or other confidential data. The attack does not directly lead to remote code execution or file modification, but the information disclosure can be leveraged for further compromise.

Mitigation

As of the publication date, no official fix has been confirmed in the available references. The plugin repository lists version 12.4.16 [1] as the latest, but it is not explicitly stated that this version addresses the vulnerability. Users should update to the latest version and monitor for security announcements. In the absence of a confirmed patch, restricting access to the plugin's functionality for low-privilege users may reduce risk.