{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/arbitrary-post-creation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-1667"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["The SEO Plugin by Squirrly SEO (\u003c= 14.0.0)","Advanced Custom Fields"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin-vulnerability","xss","arbitrary-post-creation"],"_cs_type":"advisory","_cs_vendors":["Squirrly SEO","Advanced Custom Fields"],"content_html":"\u003cp\u003eCVE-2026-1667 identifies a critical vulnerability within The SEO Plugin by Squirrly SEO for WordPress, affecting all versions up to and including 14.0.0. This flaw stems from a leaked API token combined with insufficient input sanitization and output escaping mechanisms. Unauthenticated attackers can exploit this vulnerability to perform arbitrary post creation on affected WordPress sites. A more severe impact occurs if the Advanced Custom Fields (ACF) plugin is also installed and active, as it enables attackers to inject arbitrary web scripts (Stored Cross-Site Scripting or XSS) directly into site pages. These malicious scripts execute in the browsers of users who visit the compromised pages, potentially leading to session hijacking, credential theft, or further client-side attacks. Given WordPress's widespread use, this vulnerability poses a significant risk for website defacement and user compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress instance running The SEO Plugin by Squirrly SEO version 14.0.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request, leveraging the publicly known leaked API token to bypass standard authentication mechanisms.\u003c/li\u003e\n\u003cli\u003eThe request is directed towards a WordPress endpoint responsible for creating new posts, such as \u003ccode\u003e/wp-json/wp/v2/posts\u003c/code\u003e or \u003ccode\u003e/wp-admin/post-new.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the desired content for an arbitrary post within the request body.\u003c/li\u003e\n\u003cli\u003eIf the Advanced Custom Fields plugin is present on the target system, the attacker embeds a malicious JavaScript payload (Stored XSS) within the crafted post content.\u003c/li\u003e\n\u003cli\u003eDue to the Squirrly SEO plugin's insufficient input sanitization, the WordPress site processes the request and publishes the arbitrary post, including the embedded XSS payload if applicable.\u003c/li\u003e\n\u003cli\u003eThe newly created or modified post, containing the malicious script, becomes live on the WordPress website.\u003c/li\u003e\n\u003cli\u003eWhen a legitimate user visits the compromised page, the stored XSS payload executes in their browser, leading to client-side compromise, such as cookie theft, redirection, or defacement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-1667 allows unauthenticated attackers to create arbitrary posts on a vulnerable WordPress site, leading to website defacement, publication of malicious or misleading content, or phishing attempts. When combined with the Advanced Custom Fields plugin, the vulnerability escalates to Stored Cross-Site Scripting (XSS), enabling the injection and execution of arbitrary web scripts in visitors' browsers. This can result in session hijacking, credential theft, redirection to malicious sites, or further client-side exploitation. The CVSS v3.1 Base Score of 7.2 indicates a high severity risk, emphasizing the potential for significant reputational and security damage to affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-1667 immediately by updating The SEO Plugin by Squirrly SEO to a version beyond 14.0.0 as soon as a fix is available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect CVE-2026-1667 Exploitation Attempt - Suspicious WordPress Post Creation with XSS\u0026quot; to your SIEM and tune for your environment to detect suspicious post creation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP POST requests directed at WordPress post creation endpoints (e.g., \u003ccode\u003e/wp-admin/post-new.php\u003c/code\u003e, \u003ccode\u003e/wp-json/wp/v2/posts\u003c/code\u003e), especially those from unusual IP addresses or containing script-like content in the request body.\u003c/li\u003e\n\u003cli\u003eRegularly review WordPress audit logs for any unexpected or unauthorized post creations or modifications, as this could indicate compromise via the arbitrary post creation capability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T17:19:01Z","date_published":"2026-07-10T17:19:01Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-1667-squirrly-seo/","summary":"An arbitrary post creation and stored cross-site scripting (XSS) vulnerability exists in The SEO Plugin by Squirrly SEO for WordPress, affecting versions up to and including 14.0.0. This flaw, caused by an API token leak and insufficient input sanitization/output escaping, allows unauthenticated attackers to create arbitrary posts. If the Advanced Custom Fields plugin is also installed, attackers can inject arbitrary web scripts into pages that execute when a user accesses an injected page, leading to potential client-side compromise.","title":"Arbitrary Post Creation and Stored XSS in Squirrly SEO Plugin for WordPress","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-1667-squirrly-seo/"}],"language":"en","title":"CraftedSignal Threat Feed - Arbitrary-Post-Creation","version":"https://jsonfeed.org/version/1.1"}