The SEOPress – On-site SEO & Analytics WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) identified as CVE-2024-1134. This vulnerability allows attackers with contributor or higher access to inject arbitrary web scripts via SEO title, description, and other parameters due to inadequate input sanitization and output escaping. When other users access the injected pages, the malicious scripts execute, potentially leading to session hijacking or other client-side attacks. The vulnerability affects all versions up to and including 7.5.2.1. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges of contributor level, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact. No patch or official fix has been documented in the provided data.

Successful exploitation allows an attacker with contributor or higher privileges to inject persistent malicious scripts into SEO-related fields. These scripts execute in the context of users viewing the affected pages, potentially compromising user sessions or performing unauthorized actions. The impact is limited to confidentiality and integrity with no availability impact. The vulnerability requires authenticated access at contributor level or above, reducing the attack surface compared to unauthenticated vulnerabilities.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to restrict contributor-level access to trusted users only. Avoid entering untrusted input into SEO title and description fields. Monitor official SEOPress and WordPress security advisories for updates regarding a patch or mitigation. No vendor advisory or patch links are currently provided.