The S-DEV SEO plugin suffers a stored cross‑site scripting flaw that allows an attacker to inject arbitrary JavaScript code into web pages generated by WordPress. This code is stored persistently and executed when any user loads a page that includes the injected content, potentially enabling session hijacking, defacement, or the execution of more advanced client‑side attacks. The weakness is formally identified as CWE‑79 and represents a significant attack surface for sites using the affected plugin.

WordPress sites that have installed the Seodev S-DEV SEO plugin version 1.88 or earlier. The vulnerability is present in all releases from the launch of the plugin through to v1.88, so any site maintaining those versions is susceptible.

The vendor scores the vulnerability with a CVSS of 6.5, indicating moderate severity, and the EPSS is reported as less than 1 percent, reflecting a low but non‑zero likelihood of exploitation. The issue is not listed in CISA’s KEV catalog. Exploitation typically requires that an attacker can submit or influence content that is processed by the plugin’s storage mechanism—most likely by accessing the plugin’s administrative interface or an influencer’s editor—though the precise attack vector is not detailed in the advisory. Once the payload is stored, any visitor to the affected page will execute the injected script, making the exploit highly effective once the initial injection succeeds.