CVE-2024-0597 MEDIUM

CVE-2024-0597: SEO Plugin by Squirrly SEO <= 12.3.15 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings

Vendor Cifi
Product SEO Plugin by Squirrly SEO
Weakness CWE-79 · XSS
Published February 5, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 12.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Key dates

02Disclosure timeline

February 5, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-9119 SVG Complete <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2024-4682 Campcodes Complete Web-Based School Management System exam_timetable_update_form.php cross site scripting CVE-2025-46538 WordPress Inline Text Popup plugin <= 1.0.0 - Cross Site Scripting (XSS) Vulnerability CVE-2026-42685 WordPress WP Job Portal plugin <= 2.5.1 - Cross Site Scripting (XSS) vulnerability CVE-2023-6775 CodeAstro POS and Inventory Management System item_con cross site scripting