<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>The SEO Plugin by Squirrly SEO (&lt;= 14.0.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/the-seo-plugin-by-squirrly-seo--14.0.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 17:19:01 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/the-seo-plugin-by-squirrly-seo--14.0.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Arbitrary Post Creation and Stored XSS in Squirrly SEO Plugin for WordPress</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-1667-squirrly-seo/</link><pubDate>Fri, 10 Jul 2026 17:19:01 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-1667-squirrly-seo/</guid><description>An arbitrary post creation and stored cross-site scripting (XSS) vulnerability exists in The SEO Plugin by Squirrly SEO for WordPress, affecting versions up to and including 14.0.0. This flaw, caused by an API token leak and insufficient input sanitization/output escaping, allows unauthenticated attackers to create arbitrary posts. If the Advanced Custom Fields plugin is also installed, attackers can inject arbitrary web scripts into pages that execute when a user accesses an injected page, leading to potential client-side compromise.</description><content:encoded><![CDATA[<p>CVE-2026-1667 identifies a critical vulnerability within The SEO Plugin by Squirrly SEO for WordPress, affecting all versions up to and including 14.0.0. This flaw stems from a leaked API token combined with insufficient input sanitization and output escaping mechanisms. Unauthenticated attackers can exploit this vulnerability to perform arbitrary post creation on affected WordPress sites. A more severe impact occurs if the Advanced Custom Fields (ACF) plugin is also installed and active, as it enables attackers to inject arbitrary web scripts (Stored Cross-Site Scripting or XSS) directly into site pages. These malicious scripts execute in the browsers of users who visit the compromised pages, potentially leading to session hijacking, credential theft, or further client-side attacks. Given WordPress's widespread use, this vulnerability poses a significant risk for website defacement and user compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress instance running The SEO Plugin by Squirrly SEO version 14.0.0 or earlier.</li>
<li>The attacker crafts a malicious HTTP POST request, leveraging the publicly known leaked API token to bypass standard authentication mechanisms.</li>
<li>The request is directed towards a WordPress endpoint responsible for creating new posts, such as <code>/wp-json/wp/v2/posts</code> or <code>/wp-admin/post-new.php</code>.</li>
<li>The attacker includes the desired content for an arbitrary post within the request body.</li>
<li>If the Advanced Custom Fields plugin is present on the target system, the attacker embeds a malicious JavaScript payload (Stored XSS) within the crafted post content.</li>
<li>Due to the Squirrly SEO plugin's insufficient input sanitization, the WordPress site processes the request and publishes the arbitrary post, including the embedded XSS payload if applicable.</li>
<li>The newly created or modified post, containing the malicious script, becomes live on the WordPress website.</li>
<li>When a legitimate user visits the compromised page, the stored XSS payload executes in their browser, leading to client-side compromise, such as cookie theft, redirection, or defacement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-1667 allows unauthenticated attackers to create arbitrary posts on a vulnerable WordPress site, leading to website defacement, publication of malicious or misleading content, or phishing attempts. When combined with the Advanced Custom Fields plugin, the vulnerability escalates to Stored Cross-Site Scripting (XSS), enabling the injection and execution of arbitrary web scripts in visitors' browsers. This can result in session hijacking, credential theft, redirection to malicious sites, or further client-side exploitation. The CVSS v3.1 Base Score of 7.2 indicates a high severity risk, emphasizing the potential for significant reputational and security damage to affected organizations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-1667 immediately by updating The SEO Plugin by Squirrly SEO to a version beyond 14.0.0 as soon as a fix is available.</li>
<li>Deploy the Sigma rule &quot;Detect CVE-2026-1667 Exploitation Attempt - Suspicious WordPress Post Creation with XSS&quot; to your SIEM and tune for your environment to detect suspicious post creation attempts.</li>
<li>Monitor web server logs for suspicious HTTP POST requests directed at WordPress post creation endpoints (e.g., <code>/wp-admin/post-new.php</code>, <code>/wp-json/wp/v2/posts</code>), especially those from unusual IP addresses or containing script-like content in the request body.</li>
<li>Regularly review WordPress audit logs for any unexpected or unauthorized post creations or modifications, as this could indicate compromise via the arbitrary post creation capability.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin-vulnerability</category><category>xss</category><category>arbitrary-post-creation</category></item></channel></rss>