CVE-2024-10515: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in the SEO Plugin by Squirrly SEO WordPress plugin versions before 12.3.21. The vulnerability was publicly disclosed on October 30, 2024, and was assigned CVE-2024-10515. This security flaw affects users with editor-level privileges or higher who can access the WordPress post editor interface (WPScan).

The vulnerability allows authenticated users with editor-level access to implement Stored XSS by embedding malicious scripts through the plugin's 'Live Assistant' feature. The issue specifically occurs in the '+ Add keyword' field of the post editor interface. The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability could lead to account takeover through the execution of malicious JavaScript code in the context of other users' sessions. The stored nature of the XSS means that the malicious script persists in the database and can affect users who later access the compromised page (WPScan).

The vulnerability has been patched in version 12.3.21 of the SEO Plugin by Squirrly SEO. Users are advised to update to this version or later to mitigate the risk (WPScan).