Stored Cross-Site Scripting Vulnerability in All in One SEO Plugin for WordPress
CVE-2025-2892

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: All In One Seo – Powerful Seo Plugin To Boost Seo Rankings & Increase Traffic
Vendor: CVE Published:; 19 May 2025

What is CVE-2025-2892?

The All in One SEO plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability due to improper sanitization of the Meta Description and Canonical URL parameters. This vulnerability affects all versions up to 4.8.1.1, allowing authenticated attackers with Contributor-level access or higher to inject malicious web scripts into pages. These scripts are executed when users access affected pages, potentially compromising user data and website integrity.

Affected Version(s)

All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic * <= 4.8.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3289874/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2025
Vulnerability Reserved
Mar 27, 2025

Credit

Ivan Kuzymchak