Description
The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-01-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery enabling authenticated attackers to query or modify internal services
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in the pixabayDownloadImage function of the Xagio SEO – AI Powered SEO WordPress plugin, allowing an authenticated user with Subscriber level privileges or higher to trigger outbound HTTP requests from the server. This Server‑Side Request Forgery can be used to retrieve sensitive information or alter data in internal systems, thereby compromising confidentiality and integrity. The flaw does not require elevated privileges beyond the defined role, so any logged‑in subscriber may exploit it.

Affected Systems

All installations of the Xagio SEO – AI Powered SEO plugin up to and including version 7.1.0.30 are affected. The plugin is distributed by xagio and installed within the WordPress ecosystem. Versions newer than 7.1.0.30 are presumed corrected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The plugin is not listed in the CISA KEV catalog. The attack vector requires a legitimate WordPress login with at least Subscriber role, meaning that an attacker would first need access to a user account or must compromise authentication. Once authenticated, the attacker can invoke the vulnerable function to target arbitrary internal or external URLs, potentially causing information disclosure or modification.

Generated by OpenCVE AI on April 21, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Xagio SEO – AI Powered SEO plugin to version 7.1.0.31 or later, which removes the vulnerable pixabayDownloadImage function.
  • If an immediate upgrade is not possible, severally limit the capabilities of Subscriber users to prevent execution of file‑download functionality, or remove the capability that allows invoking pixabayDownloadImage.
  • Consider disabling or uninstalling the Xagio SEO plugin entirely if it is not essential to your site’s functionality.
  • Implement a Web Application Firewall rule that blocks outbound requests generated by the plugin’s pixabayDownloadImage endpoint to prevent SSRF attempts.

Generated by OpenCVE AI on April 21, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xagio
Xagio xagio Seo
Vendors & Products Wordpress
Wordpress wordpress
Xagio
Xagio xagio Seo

Tue, 06 Jan 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Xagio SEO <= 7.1.0.30 - Authenticated (Subscriber+) Server-Side Request Forgery
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Xagio Xagio Seo
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:45.483Z

Reserved: 2025-12-10T11:23:17.347Z

Link: CVE-2025-14438

cve-icon Vulnrichment

Updated: 2026-01-06T14:35:38.203Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T05:15:58.633

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses