GZSEO WordPress Plugin Authorization Bypass Leading to Stored Cross-Site Scripting Vulnerability

A vulnerability exists in the GZSEO plugin for WordPress, affecting all versions up to and including 2.0.11. The issue arises from an authorization bypass that allows authenticated attackers with contributor-level access or higher to exploit missing capability checks on several AJAX handlers. This, combined with inadequate input sanitization and output escaping of the 'embed_code' parameter, enables the injection of arbitrary content into posts. The injected content is executed when users access the affected pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the post.

Reproduction

To reproduce this vulnerability, an authenticated user with contributor-level access or higher can use the GZSEO plugin's AJAX handlers 'gzseo_save_video_update' or 'gzseo_save_taxonomy_video_update' to upload a video that includes a malicious script in the 'embed_code' parameter. The absence of proper capability checks and data sanitization facilitates this injection. Once the video is saved, the script will execute whenever the post or taxonomy term is viewed.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.