cbcvebase.
CVE-2024-5488
published 2024-07-09

CVE-2024-5488: The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.77%
88.6th percentile
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.

Affected

1 ranges
VendorProductVersion rangeFixed in
seopressseopress< 7.97.9

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/seopress/v1/posts/1/title-description-metas
url/wp-json/seopress/v1/posts/1/title-description-metas
  • Probe for unauthenticated access to the SEOPress REST API route by sending a PUT request to /wp-json/seopress/v1/posts/{id}/title-description-metas without credentials; a response containing 'Sorry, you are not allowed to do that.' confirms the endpoint exists but is (partially) protected.
  • Exploitation is confirmed when a PUT request with Basic auth using any password (e.g., 'aaaaaa') against the SEOPress REST API returns a JSON success response containing '"code":"success"', indicating authentication bypass.
  • Monitor for PUT requests to WordPress REST API paths matching the pattern /wp-json/seopress/v1/posts/*/title-description-metas, especially from unauthenticated or weakly-authenticated sources, as this is the vulnerable endpoint enabling auth bypass and object injection.
  • A three-step attack flow is used: (1) confirm endpoint existence via unauthenticated PUT, (2) exploit auth bypass via Basic auth with arbitrary password, (3) verify data write via GET to the same endpoint. Alert on this sequence from a single source IP.
  • ·The object injection gadget chain exploitation is only possible if a suitable PHP gadget chain is present in the target WordPress environment (e.g., via other installed plugins or themes). The auth bypass alone does not guarantee RCE.
  • ·The Nuclei template targets post ID 1 specifically; in real-world exploitation, attackers may iterate over arbitrary post IDs. Detection rules should not be limited to post ID 1.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.