Stored Cross-Site Scripting in Slim SEO - Fast & Automated WordPress SEO Plugin

CVE-2025-4611

What is CVE-2025-4611?

CVE-2025-4611 is a vulnerability found in the Slim SEO – Fast & Automated WordPress SEO Plugin, which is designed to optimize WordPress websites for search engines efficiently. This vulnerability permits stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping on user-supplied attributes in the plugin's slim_seo_breadcrumbs shortcode. Authenticated attackers, holding contributor-level access or higher, can exploit this vulnerability to inject arbitrary web scripts into web pages. As a result, the scripts execute every time a user accesses the affected pages, leading to potential security breaches and affecting the overall integrity of the website.

Potential impact of CVE-2025-4611

1. Data Theft: The XSS vulnerability allows attackers to inject malicious scripts that can capture sensitive user data, such as login credentials or personal information, leading to potential identity theft and unauthorized access to accounts.

2. Website Defacement: Attackers can manipulate the content displayed to users, enabling them to change website text, images, or layouts, which can harm the reputation of the organization and diminish user trust.

3. Malware Distribution: Through the injected scripts, attackers can redirect users to malicious websites or install malware on visitors' devices, which may result in further widespread attacks and exploitation beyond the initial compromised site.

References