CVE Catalog

CVE-2026-7624

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Summary

The SEO Plugin by Squirrly SEO for WordPress is vulnerable to authorization bypass in all versions up to and including 12.4.16. The issue arises from improper verification of user permissions to perform certain actions.

Risk Assessment

The risk is that authenticated attackers with contributor-level access and above can perform state-changing operations that should be restricted to administrators, potentially leading to serious security breaches.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability and review user permissions to restrict access to sensitive operations.

Original NVD description (English source)

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to invoke privileged state-changing Squirrly cloud API operations, such as revoking the site's Google Search Console and Google Analytics integrations via `api/gsc/revoke` and `api/ga/revoke`, that are otherwise restricted to administrator-level users holding the `sq_manage_settings` capability.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS