WordPress Xagio SEO plugin <= 7.1.0.30 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by daroo in WordPress Plugin Xagio SEO versions = 7.1.0.30...

CVE-2025-14438

The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests...

CVE-2025-14438 Xagio SEO <= 7.1.0.30 - Authenticated (Subscriber+) Server-Side Request Forgery

The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests...

CVE-2025-3302

The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘HTTPREFERER’ parameter in all versions up to, and including, 7.1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

CVE-2025-3302

The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘HTTPREFERER’ parameter in all versions up to, and including, 7.1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

CVE-2025-3302 Xagio SEO <= 7.1.0.16 - Unauthenticated Stored Cross-Site Scripting via 'HTTP_REFERER'

The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘HTTPREFERER’ parameter in all versions up to, and including, 7.1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

CVE-2025-3302

The CVE-2025-3302 entry concerns Xagio SEO – AI Powered SEO for WordPress. Affected are all versions up to and including 7.1.0.16, vulnerable to Unauthenticated Stored Cross-Site Scripting via HTTP_REFERER due to insufficient input sanitization and output escaping. The vulnerability was partially...

WordPress Xagio SEO plugin <= 7.1.0.16 - Unauthenticated Stored Cross-Site Scripting via 'HTTP_REFERER' vulnerability

Unauthenticated Stored Cross-Site Scripting via 'HTTPREFERER' vulnerability discovered by Jack Taylor in WordPress Plugin Xagio SEO versions = 7.1.0.16...

PT-2025-25204 · WordPress · Xagio Seo

Name of the Vulnerable Software and Affected Versions: Xagio SEO – AI Powered SEO plugin for WordPress versions up to, and including, 7.1.0.16 Description: The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP REFERER parameter due to...

CVE-2025-24702 WordPress Xagio SEO plugin <= 7.0.0.20 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Xagio SEO Xagio SEO xagio-seo allows Stored XSS.This issue affects Xagio SEO: from n/a through = 7.0.0.20...

CVE-2025-24702

CVE-2025-24702 affects the WordPress Xagio SEO plugin. It is a stored XSS due to improper input neutralization during web page generation, affecting versions up to 7.0.0.20. A fix/patch is available; upgrade to a version where the vulnerability is addressed.