CVE-2026-52714

GEO Plugin by Squirrly SEO <= 12.4.16 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
12.4.17
Patched in
9d
Time to patch

Description

The GEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 12.4.16. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=12.4.16
PublishedJune 15, 2026
Last updatedJune 23, 2026
Affected pluginsquirrly-seo

What Changed in the Fix

Changes introduced in v12.4.17

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan targets **CVE-2026-52714**, a missing authorization vulnerability in the **SEO Plugin by Squirrly SEO** (version <= 12.4.16). The vulnerability allows unauthenticated attackers to perform unauthorized actions, specifically modifying "Automation" settings by adding post types to th…

Show full research plan

This research plan targets CVE-2026-52714, a missing authorization vulnerability in the SEO Plugin by Squirrly SEO (version <= 12.4.16). The vulnerability allows unauthenticated attackers to perform unauthorized actions, specifically modifying "Automation" settings by adding post types to the plugin's configuration.


1. Vulnerability Summary

  • Vulnerability: Missing Authorization (Insecure Direct Object Reference / Missing Capability Check).
  • Location: The handler for the sq_automation_addpostype action (likely within SQ_Controllers_Assistant or a similar backend controller).
  • Cause: While the view (view/Assistant/Automation.php) correctly checks for the sq_manage_settings capability before displaying the form, the server-side handler that processes the POST request fails to verify if the requesting user has the necessary permissions. Additionally, the nonce check is either absent, uses a predictable action, or the nonce is leaked to unauthenticated users.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-post.php or the site root / (depending on whether the hook is admin_init or init). In Squirrly SEO, these are often handled via init.
  • Action: sq_automation_addpostype
  • Payload Parameters:
    • action: sq_automation_addpostype
    • posttype: The slug of a post type to add to the automation list (e.g., post, page, or a custom type).
    • sq_nonce: The security nonce (if enforced).
  • Authentication: Unauthenticated (PR:N).
  • Preconditions: None.

3. Code Flow

  1. Request Entry: An unauthenticated POST request is sent to the site.
  2. Hook Execution: The plugin registers a handler for sq_automation_addpostype (likely via SQ_Classes_FrontController or SQ_Classes_BlockController calling a controller method).
  3. Vulnerable Function: The handler retrieves $_POST['posttype'].
  4. Missing Check: The code proceeds to update the plugin options (likely the patterns array in sq_options) without calling current_user_can( 'sq_manage_settings' ).
  5. Persistence: The new post type is added to the "Automation" configurations, affecting how the plugin generates SEO patterns for that type.

4. Nonce Acquisition Strategy

The vulnerability is rated as unauthenticated (PR:N), meaning the nonce must be either bypassable or retrievable without a login. Squirrly SEO often localizes configuration data for its frontend "SEO Assistant" and "Live Assistant."

  1. Check Frontend Leakage: Navigate to any public page and check for localized script data.
  2. Target Variable: Look for the sq_config JavaScript object or similar localization keys.
  3. Browser Eval:
    • Use browser_navigate to the homepage.
    • Use browser_eval to search for nonces:
      browser_eval("window.sq_config?.nonce || window.SQ_Data?.nonce")
  4. Bypass Analysis: If the handler uses wp_verify_nonce( $_POST['sq_nonce'], -1 ) or check_ajax_referer( 'sq_automation_addpostype', 'sq_nonce', false ) without checking the return value, the nonce can be omitted or set to any value.

5. Exploitation Strategy

Goal: Add a new post type to the Squirrly Automation settings unauthenticated.

  1. Request Type: POST
  2. URL: http://<target>/wp-admin/admin-post.php (or http://<target>/ if admin-post.php returns 403).
  3. Headers: Content-Type: application/x-www-form-urlencoded
  4. Body:
    action=sq_automation_addpostype&posttype=attachment&sq_nonce=[NONCE]
    
    (Note: Using attachment as it is a common built-in type that might not be in the automation list by default).

6. Test Data Setup

  1. Install SEO Plugin by Squirrly SEO version 12.4.16.
  2. Ensure the plugin is activated.
  3. No specific users or posts are required since the attack is unauthenticated.

7. Expected Results

  • HTTP Response: A 302 Redirect (standard for admin-post.php) or a 200 OK with success indicators.
  • Success Indicator: The sq_options database entry (specifically the patterns key) will now include an entry for the attachment post type.

8. Verification Steps (WP-CLI)

Check if the post type was successfully added to the Squirrly patterns:

# Check the Squirrly options for the 'patterns' key
wp option get sq_options --format=json | jq '.[].patterns | keys'

Verification is successful if 'attachment' (or your chosen posttype) appears in the list of keys.

9. Alternative Approaches

  • No-Nonce Attempt: Try the POST request without the sq_nonce parameter. If the handler is hooked to init and fails to verify the nonce properly, it may execute anyway.
  • Action Injection: If sq_automation_addpostype is restricted, try related actions found in the same view:
    • sq_automation_addtax (inferred)
    • sq_automation_deletepostype (inferred)
  • Subscriber Access: If unauthenticated fails, test as a Subscriber role user. Many "unauthenticated" vulnerabilities in Squirrly are also reachable by any logged-in user due to the same missing capability checks.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.