Sentence To SEO WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Sentence To SEO (keywords, description and tags) plugin for WordPress, affecting all versions through 1.0. The issue arises from inadequate input sanitization and output escaping. The plugin captures user input via filter_input_array(INPUT_POST) without applying HTML sanitization, stores the unsanitized data in the WordPress options table, and then directly outputs it into a textarea element using PHP short echo tags, without any escaping. This allows authenticated attackers with administrator-level access to inject arbitrary HTML or JavaScript, which executes when a user visits the plugin's settings page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user visiting the affected page.

Remediation

There is no known patch available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.