2 Vulnerabilities in Squirrly SEO plugin 6.1.4 and older

Today the Squirrly SEO team released version 6.1.5 of their WordPress plugin, fixing two security vulnerabilities. They have over 20,000 active users according to wordpress.org. Panagiotis Vagenas, Security Analyst here at Wordfence discovered the vulnerabilities. Details were shared with the author and firewall rules were added to the Wordfence Threat Defense Feed on Friday. The path traversal and privilege escalation vulnerabilities impact versions 6.1.4 and older.

Vulnerability 1: Privilege Escalation

CVSS Severity: 8.8 (High)

This vulnerability allows an attacker to modify plugin settings on a site with registration enabled. On a stand-alone basis the value to an attacker is relatively low, enabling them to do things like add or change the site favicon, upload featured images for posts or retrieve SEO settings for a post. As you’ll see below, the real danger with this vulnerability is when it is used in conjunction with another.

Vulnerability 2: Path Traversal

CVSS Severity: 8.1 (High)

This vulnerability allows an attacker to download any file from a WordPress server, including the wp-config.php file. That file includes database credentials for the website and other information that could potentially enable an attacker to gain full control of the site. In order to exploit this vulnerability there are two conditions that must be met: a specific plugin parameter must be set to a specific value and a favicon must be present. We have no way of estimating the percentage of websites running the Squirrly SEO that meet this criteria. However, it could be used in conjunction with vulnerability 1 above or any other privilege escalation vulnerability to significantly increase an attacker’s success rate.

Both free and Premium Wordfence users with the firewall enabled have been protected from this vulnerability since the new Firewall and Threat Defense Feed were released in April.

What to do

Premium Wordfence customers that have the firewall enabled are protected by the firewall rule that was added to the Threat Defense Feed on Friday, July 8th. Free Wordfence users running the Squirrly SEO plugin should upgrade to version 6.1.5 immediately, and will receive a rule to protect against vulnerability 1 on August 7th.

Did you enjoy this post? Share it!


  • Hey,

    Hey, I read the article and you didn't specified that those were between the logged-in users. Squirrly only allows logged users with Contributor rights and above to use the features.

    It's good to have the last version because we also add many new features in Squirrly SEO.

    Please edit the article so that people don't get confused.

    Thank you,

    • Hi Calin,

      We've reverified that one of these vulnerabilities is completely unauthenticated and the other requires only subscriber level access.

      We're emailing you privately as a follow-up.