Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hpinfosys Metadata SEO metadata-seo allows Stored XSS.This issue affects Metadata SEO: from n/a through <= 2.3.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Metadata SEO plugin contains an improper neutralization of user input during web page generation, allowing stored cross‑site scripting attacks. When an attacker succeeds, arbitrary JavaScript can execute in a victim’s browser, potentially compromising user sessions, injecting malicious content, or facilitating further phishing attempts.

Affected Systems

WordPress users running the Metadata SEO plugin, version 2.3 or earlier, are affected.

Risk and Exploitability

With a CVSS score of 6.5, this vulnerability is considered medium severity. The EPSS score of less than 1% indicates a low likelihood of exploitation at present, and it is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated user submitting unchecked input through the plugin’s configuration or content fields, which is then stored and rendered without sanitization for all site visitors.

Generated by OpenCVE AI on May 1, 2026 at 22:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Metadata SEO plugin to the latest version (>= 2.4)
  • Disable or remove the plugin if it is not required for site functionality
  • Implement a web application firewall rule to block or sanitize suspicious scripts and XSS payloads

Generated by OpenCVE AI on May 1, 2026 at 22:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2796 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Patel Metadata SEO allows Stored XSS.This issue affects Metadata SEO: from n/a through 2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Patel Metadata SEO allows Stored XSS.This issue affects Metadata SEO: from n/a through 2.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hpinfosys Metadata SEO metadata-seo allows Stored XSS.This issue affects Metadata SEO: from n/a through <= 2.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 07 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Patel Metadata SEO allows Stored XSS.This issue affects Metadata SEO: from n/a through 2.3.
Title WordPress Metadata SEO plugin <= 2.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T22:35:01.402Z

Reserved: 2025-01-07T10:22:48.985Z

Link: CVE-2025-22516

cve-icon Vulnrichment

Updated: 2025-01-07T16:23:54.501Z

cve-icon NVD

Status : Deferred

Published: 2025-01-07T16:15:46.653

Modified: 2026-06-17T08:47:55.523

Link: CVE-2025-22516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:15:27Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')