SEOPress Plugin Alert: CVE-2024-5488 Flaw Exposes 300K Sites

A critical vulnerability tracked as CVE-2024-5488 has been discovered in SEOPress, a popular WordPress plugin with over 300,000 active installations. This flaw enables unauthorized users to bypass authentication and manipulate sensitive data, potentially leading to full remote code execution.

CVE-2024-5488 is a compound vulnerability involving an authentication bypass that leads to object injection, rated with a CVSS score of 8.1, indicating its high severity. The core of the issue lies in the plugin’s handling of REST API routes. SEOPress, a plugin designed to enhance SEO capabilities, mistakenly allowed unauthenticated access to certain REST API routes that should have been protected.

The authentication flaw was rooted in a critical oversight within the permission_callback function of these REST API routes. The function attempted to reimplement some of WordPress’s authentication checks but failed due to the improper handling of WP_User objects and application passwords. Specifically, the function incorrectly assumed that any WP_User object provided was already authenticated, thus bypassing the intended security checks.

With this access, attackers could exploit another vulnerability related to how SEOPress manages the serialization and unserialization of data. By manipulating post metadata stored in custom database tables, attackers could unserialize arbitrary objects. This vulnerability opens the door to what are known as Object Injection attacks, where malicious actors craft serialized objects that can execute arbitrary code when unserialized.

This type of vulnerability is particularly dangerous because it can enable attackers to execute complex Property Oriented Programming (POP) chains. These chains are sequences of serialized class instances that trigger PHP magic methods during the script’s execution, potentially leading to full remote code execution on the targeted site.

The implications of such vulnerabilities are far-reaching. Attackers could leverage this flaw to modify SEOPress-related post metadata, potentially initiating SEO spam campaigns or more destructive actions. The capability to store and trigger malicious POP chains in arbitrary posts’ metadata could let attackers execute code under the guise of seemingly benign operations.

Security researchers at WPScan identified the vulnerability during a routine audit and promptly reported it to the SEOPress team. To address this critical vulnerability, the SEOPress team has released version 7.9, which includes patches to both the authentication process and the handling of serialized data. WordPress site administrators using SEOPress are strongly urged to update to this latest version to protect their sites from potential exploitation.