Vendor
An arbitrary post creation and stored cross-site scripting (XSS) vulnerability exists in The SEO Plugin by Squirrly SEO for WordPress, affecting versions up to and including 14.0.0. This flaw, caused by an API token leak and insufficient input sanitization/output escaping, allows unauthenticated attackers to create arbitrary posts. If the Advanced Custom Fields plugin is also installed, attackers can inject arbitrary web scripts into pages that execute when a user accesses an injected page, leading to potential client-side compromise.