Cyber Resilience

CVE-2024-6497

HighPublic PoC

Published: 20 July 2024

Published
20 July 2024
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2289 96.0th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6497 is a high-severity SQL Injection (CWE-89) vulnerability in Squirrly Seo Plugin By Squirrly Seo. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The SEO Plugin by Squirrly SEO for WordPress contains a stored cross-site scripting vulnerability in the url parameter that affects all versions through 12.3.19. The flaw stems from insufficient input sanitization and output escaping, allowing malicious script content to be persisted and later rendered in plugin-generated pages. CVE-2024-43286 is noted as a duplicate of the same issue.

Authenticated users with Contributor-level access or higher can supply crafted url values that store executable scripts. When any visitor loads an affected page the injected code runs in the victim's browser, enabling theft of session tokens, account takeover, or other actions within the WordPress site context. The reported CVSS 3.1 score is 8.8.

Public references point to a patched changeset (3121853) in the plugin repository and an advisory from Wordfence that recommend updating to a fixed release. Site administrators should apply the latest version of the Squirrly SEO plugin and verify that Contributor roles cannot create or edit content that bypasses the corrected escaping routines.

EPSS probability rose from lower values to a recorded peak of 0.2757 before receding to the current 0.2289, indicating measurable post-disclosure exploitation interest that warrants renewed monitoring.

EU & UK References

Vulnerability details

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for…

more

authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-43286 appears to be a duplicate of this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

squirrly
seo plugin by squirrly seo
≤ 12.3.20

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79 CWE-89

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79 CWE-89

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References