CVE-2026-1667
WordPress · GEO Plugin by Squirrly SEO
The GEO Plugin by Squirrly SEO for WordPress is vulnerable to arbitrary post creation and stored cross-site scripting (XSS) due to missing authorization checks in all versions up to 14.0.0.
Executive summary
An unauthenticated vulnerability in the GEO Plugin by Squirrly SEO allows attackers to create arbitrary posts and execute stored XSS, posing a significant risk to site integrity and visitor security.
Vulnerability
This is a missing authorization vulnerability (CWE-862) that permits unauthenticated attackers to perform administrative actions, specifically the creation of posts and the injection of malicious scripts, which are then stored and executed in the browser of site visitors or administrators.
Business impact
The ability to create arbitrary posts can lead to site defacement, SEO poisoning, or the distribution of malicious content to users. Furthermore, stored XSS can be leveraged to hijack administrator sessions or steal sensitive user data, potentially resulting in full site compromise. With a CVSS score of 7.2, this vulnerability represents a high-severity risk that requires immediate attention to maintain platform trust and operational continuity.
Remediation
Immediate Action: Update the GEO Plugin by Squirrly SEO to version 14.0.1 or higher immediately.
Proactive Monitoring: Monitor site logs for unusual post creation activity or unexpected script injections within existing content.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to detect and block common XSS patterns and unauthorized administrative requests.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the ease with which unauthenticated attackers can exploit this vulnerability to compromise site content, administrators should prioritize updating the plugin immediately. Failure to apply the vendor-provided patch leaves the site open to content manipulation and cross-site scripting attacks that can impact both the business reputation and user security.