GEO Plugin by Squirrly SEO <= 12.4.16 - Missing Authorization
Description
The GEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 12.4.16. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=12.4.16What Changed in the Fix
Changes introduced in v12.4.17
Source Code
WordPress.org SVNThis research plan targets **CVE-2026-52714**, a missing authorization vulnerability in the **SEO Plugin by Squirrly SEO** (version <= 12.4.16). The vulnerability allows unauthenticated attackers to perform unauthorized actions, specifically modifying "Automation" settings by adding post types to th…
Show full research plan
This research plan targets CVE-2026-52714, a missing authorization vulnerability in the SEO Plugin by Squirrly SEO (version <= 12.4.16). The vulnerability allows unauthenticated attackers to perform unauthorized actions, specifically modifying "Automation" settings by adding post types to the plugin's configuration.
1. Vulnerability Summary
- Vulnerability: Missing Authorization (Insecure Direct Object Reference / Missing Capability Check).
- Location: The handler for the
sq_automation_addpostypeaction (likely withinSQ_Controllers_Assistantor a similar backend controller). - Cause: While the view (
view/Assistant/Automation.php) correctly checks for thesq_manage_settingscapability before displaying the form, the server-side handler that processes thePOSTrequest fails to verify if the requesting user has the necessary permissions. Additionally, the nonce check is either absent, uses a predictable action, or the nonce is leaked to unauthenticated users.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-post.phpor the site root/(depending on whether the hook isadmin_initorinit). In Squirrly SEO, these are often handled viainit. - Action:
sq_automation_addpostype - Payload Parameters:
action:sq_automation_addpostypeposttype: The slug of a post type to add to the automation list (e.g.,post,page, or a custom type).sq_nonce: The security nonce (if enforced).
- Authentication: Unauthenticated (
PR:N). - Preconditions: None.
3. Code Flow
- Request Entry: An unauthenticated
POSTrequest is sent to the site. - Hook Execution: The plugin registers a handler for
sq_automation_addpostype(likely viaSQ_Classes_FrontControllerorSQ_Classes_BlockControllercalling a controller method). - Vulnerable Function: The handler retrieves
$_POST['posttype']. - Missing Check: The code proceeds to update the plugin options (likely the
patternsarray insq_options) without callingcurrent_user_can( 'sq_manage_settings' ). - Persistence: The new post type is added to the "Automation" configurations, affecting how the plugin generates SEO patterns for that type.
4. Nonce Acquisition Strategy
The vulnerability is rated as unauthenticated (PR:N), meaning the nonce must be either bypassable or retrievable without a login. Squirrly SEO often localizes configuration data for its frontend "SEO Assistant" and "Live Assistant."
- Check Frontend Leakage: Navigate to any public page and check for localized script data.
- Target Variable: Look for the
sq_configJavaScript object or similar localization keys. - Browser Eval:
- Use
browser_navigateto the homepage. - Use
browser_evalto search for nonces:browser_eval("window.sq_config?.nonce || window.SQ_Data?.nonce")
- Use
- Bypass Analysis: If the handler uses
wp_verify_nonce( $_POST['sq_nonce'], -1 )orcheck_ajax_referer( 'sq_automation_addpostype', 'sq_nonce', false )without checking the return value, the nonce can be omitted or set to any value.
5. Exploitation Strategy
Goal: Add a new post type to the Squirrly Automation settings unauthenticated.
- Request Type:
POST - URL:
http://<target>/wp-admin/admin-post.php(orhttp://<target>/ifadmin-post.phpreturns 403). - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: Usingaction=sq_automation_addpostype&posttype=attachment&sq_nonce=[NONCE]attachmentas it is a common built-in type that might not be in the automation list by default).
6. Test Data Setup
- Install SEO Plugin by Squirrly SEO version
12.4.16. - Ensure the plugin is activated.
- No specific users or posts are required since the attack is unauthenticated.
7. Expected Results
- HTTP Response: A
302 Redirect(standard foradmin-post.php) or a200 OKwith success indicators. - Success Indicator: The
sq_optionsdatabase entry (specifically thepatternskey) will now include an entry for theattachmentpost type.
8. Verification Steps (WP-CLI)
Check if the post type was successfully added to the Squirrly patterns:
# Check the Squirrly options for the 'patterns' key
wp option get sq_options --format=json | jq '.[].patterns | keys'
Verification is successful if 'attachment' (or your chosen posttype) appears in the list of keys.
9. Alternative Approaches
- No-Nonce Attempt: Try the
POSTrequest without thesq_nonceparameter. If the handler is hooked toinitand fails to verify the nonce properly, it may execute anyway. - Action Injection: If
sq_automation_addpostypeis restricted, try related actions found in the same view:sq_automation_addtax(inferred)sq_automation_deletepostype(inferred)
- Subscriber Access: If unauthenticated fails, test as a
Subscriberrole user. Many "unauthenticated" vulnerabilities in Squirrly are also reachable by any logged-in user due to the same missing capability checks.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.