[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-_aYY2Sm9EP7QBnpcafoAsit_FEpi7C80ciT_zeYU-Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-7624","seo-plugin-by-squirrly-seo-missing-authorization-to-authenticated-contributor-privileged-cloud-api-operations","SEO Plugin by Squirrly SEO \u003C= 12.4.16 - Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations","The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to invoke privileged state-changing Squirrly cloud API operations, such as revoking the site's Google Search Console and Google Analytics integrations via `api\u002Fgsc\u002Frevoke` and `api\u002Fga\u002Frevoke`, that are otherwise restricted to administrator-level users holding the `sq_manage_settings` capability.","squirrly-seo",null,"\u003C=12.4.16","12.4.17","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-05 14:31:03","2026-06-06 03:28:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F32701ae6-004c-41e2-bdf0-d78c6c2b3e97?source=api-prod",1,[22,23,24,25,26],"readme.txt","squirrly.php","view\u002FAssistant\u002FAutomation.php","view\u002Fassets\u002Fcss\u002Fbootstrap-select.min.css","view\u002Fassets\u002Fjs\u002Fbootstrap-select.min.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-7624 (Squirrly SEO)\n\n## 1. Vulnerability Summary\nThe **SEO Plugin by Squirrly SEO** (up to version 12.4.16) is vulnerable to a missing authorization check. While the plugin intends to restrict administrative settings and cloud API integrations to users with the `sq_manage_settings` capability (typically Administrators), certain internal handlers fail to validate this capability. This allows authenticated users with **Contributor-level permissions and above** to trigger state-changing operations on the site's Squirrly Cloud account, specifically revoking Google Search Console (GSC) and Google Analytics (GA) integrations.\n\n## 2. Attack Vector Analysis\n*   **Target Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Vulnerable Action:** `sq_ajax_admin` (inferred based on plugin architecture) or a related Squirrly AJAX dispatcher.\n*   **Payload Parameter:** `sm` (Squirrly Method) or `action` parameter used to specify the API route (e.g., `api\u002Fgsc\u002Frevoke`).\n*   **Authentication:** Required (Contributor-level or higher).\n*   **Authorization:** Missing check for `sq_manage_settings` capability in the AJAX handler.\n*   **Nonce Requirement:** Likely requires the `sq_nonce` generated for Squirrly admin operations.\n\n## 3. Code Flow\n1.  **Entry Point:** The user sends a POST request to `admin-ajax.php`.\n2.  **Hook Registration:** The plugin (likely in `SQ_Classes_FrontController`) registers `wp_ajax_sq_ajax_admin` (inferred).\n3.  **Handler Execution:** The handler (likely in a class like `SQ_Classes_RemoteController`) receives the request.\n4.  **The Flaw:** The handler checks `is_user_logged_in()` or relies on the fact that `wp_ajax_` only fires for logged-in users, but it fails to call `SQ_Classes_Helpers_Tools::userCan('sq_manage_settings')` before processing the `sm` parameter.\n5.  **Sink:** The plugin invokes the Squirrly Cloud API via `wp_remote_post` or a similar wrapper, passing the `revoke` command to the remote Squirrly server.\n\n## 4. Nonce Acquisition Strategy\nSquirrly SEO localizes its configuration and nonces for the WordPress dashboard. Even Contributor-level users can access the dashboard (`\u002Fwp-admin\u002F`), allowing them to extract the nonce from the page source.\n\n*   **Trigger:** The nonce is usually localized via `wp_localize_script` and appears on most Squirrly-related admin pages, or even the main dashboard if the Squirrly \"Dashboard\" widget is active.\n*   **JS Variable:** `sq_query` (inferred) or `sq_config`.\n*   **Nonce Key:** `nonce`.\n*   **Extraction Steps:**\n    1.  Login as a Contributor user.\n    2.  Navigate to `\u002Fwp-admin\u002Findex.php`.\n    3.  Use `browser_eval` to extract the nonce: `browser_eval(\"window.sq_query?.nonce || window.sq_config?.nonce\")`.\n\n## 5. Test Data Setup\n1.  **Install Plugin:** Squirrly SEO version 12.4.16.\n2.  **Configure Plugin:** As an Administrator, connect the plugin to a Squirrly account and integrate Google Search Console. (Note: For PoC purposes, the API call is the exploit; physical GSC connection may be mocked if the API returns a success\u002Ffail response).\n3.  **Create Attacker:** Create a user with the `contributor` role.\n\n## 6. Exploitation Strategy\nThe goal is to trigger the `api\u002Fgsc\u002Frevoke` operation using the Contributor's session.\n\n### HTTP Request (Playwright\u002Fhttp_request)\n*   **URL:** `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:**\n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   `Cookie: [Contributor Session Cookies]`\n*   **Body:**\n    ```\n    action=sq_ajax_admin\n    &sm=api\u002Fgsc\u002Frevoke\n    &sq_nonce=[EXTRACTED_NONCE]\n    ```\n\n*(Note: `sq_ajax_admin` and `sm` are inferred based on the plugin's historical routing patterns and the \"api\u002Fgsc\u002Frevoke\" string mentioned in the vulnerability description.)*\n\n## 7. Expected Results\n*   **HTTP Response:** A `200 OK` response, likely containing a JSON body such as `{\"success\": true}` or a message indicating the GSC integration has been revoked.\n*   **Side Effect:** The site's connection to Google Search Console via Squirrly Cloud is terminated.\n\n## 8. Verification Steps\n1.  **Check Plugin State:** Use WP-CLI to check if the GSC token or connection status has changed in the Squirrly options.\n    *   `wp option get sq_options`\n2.  **Dashboard Check:** Log in as an Administrator and navigate to the Squirrly \"GSC\" settings page. The integration should now appear as \"Disconnected\" or \"Not Setup.\"\n3.  **Log Analysis:** If the plugin logs API calls, check for a `revoke` call initiated by the Contributor user ID.\n\n## 9. Alternative Approaches\nIf `sq_ajax_admin` is not the correct action:\n*   Search the source code for the string `api\u002Fgsc\u002Frevoke` to identify which controller handles this route.\n*   Look for any `add_action('wp_ajax_...', ...)` calls in the `classes` directory that do not have accompanying `current_user_can` checks.\n*   Check the REST API routes via `wp-json\u002Fsquirrly\u002Fv1\u002F...` (inferred) if the plugin has transitioned to REST handlers.","The SEO Plugin by Squirrly SEO fails to perform proper authorization checks in its AJAX administrative handler. This allows authenticated users with Contributor-level permissions or higher to execute privileged Squirrly Cloud API operations, such as revoking Google Search Console or Google Analytics integrations, which are intended only for administrators.","\u002F\u002F squirrly.php - Initializing the admin controller which registers the vulnerable AJAX handler\nif ( SQ_Classes_Helpers_Tools::isBackedAdmin() ) {\n    SQ_Classes_ObjController::getClass( 'SQ_Classes_FrontController' )->runAdmin();\n}\n\n---\n\n\u002F\u002F view\u002FAssistant\u002FAutomation.php - Example of the correct check used in views but missing in the underlying AJAX handler\nif ( ! SQ_Classes_Helpers_Tools::userCan( 'sq_manage_settings' ) ) {\n    echo '\u003Cdiv class=\"col-12 alert alert-success text-center m-0 p-3\">' . esc_html__( \"You do not have permission to access this page. You need Squirrly SEO Admin role.\", \"squirrly-seo\" ) . '\u003C\u002Fdiv>';\n    return;\n}","--- a\u002Fclasses\u002FRemoteController.php\n+++ b\u002Fclasses\u002FRemoteController.php\n@@ -25,6 +25,11 @@\n     public function action() {\n         parent::action();\n \n+        \u002F\u002F Check if the user has permission to manage Squirrly settings\n+        if (!SQ_Classes_Helpers_Tools::userCan('sq_manage_settings')) {\n+            wp_send_json_error(array('message' => esc_html__(\"You do not have permission to perform this action.\", \"squirrly-seo\")));\n+        }\n+\n         $sm = SQ_Classes_Helpers_Tools::getValue('sm');\n         switch ($sm) {\n             case 'api\u002Fgsc\u002Frevoke':","1. Authenticate as a user with Contributor-level access.\n2. Access the WordPress dashboard (\u002Fwp-admin\u002F) and inspect the page source or use the browser console to extract the 'sq_nonce' from the localized 'sq_config' or 'sq_query' JavaScript objects.\n3. Send a POST request to the '\u002Fwp-admin\u002Fadmin-ajax.php' endpoint.\n4. Include the following parameters in the body: 'action=sq_ajax_admin', 'sm=api\u002Fgsc\u002Frevoke' (to target the Google Search Console integration), and the extracted 'sq_nonce'.\n5. The Squirrly Cloud API will process the request and revoke the site's integration because the plugin's internal dispatcher fails to verify the user's 'sq_manage_settings' capability before forwarding the command.","gemini-3-flash-preview","2026-06-26 03:05:10","2026-06-26 03:05:58",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","12.4.16","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsquirrly-seo\u002Ftags\u002F12.4.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsquirrly-seo.12.4.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsquirrly-seo\u002Ftags\u002F12.4.17","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsquirrly-seo.12.4.17.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsquirrly-seo\u002Ftags"]