Description
Cross-Site Request Forgery (CSRF) vulnerability in zmseo ZMSEO zmseo allows Stored XSS.This issue affects ZMSEO: from n/a through <= 1.14.1.
Published: 2025-02-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery in the ZMSEO plugin allows an attacker to inject malicious script into the site’s content. The injected script then persists in the database and executes automatically whenever a user views the affected page, leading to session hijack, defacement, or credential theft. The weakness relies on improper validation of request tokens, mapped to CWE‑352.

Affected Systems

The ZMSEO WordPress plugin, version 1.14.1 and earlier, is impacted. Administrators who use this plugin on any WordPress site may be vulnerable if they do not keep the plugin updated.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1 and an EPSS score of less than 1 %, indicating a low probability of widespread automated exploitation but still a moderate to high impact if exploited. The attack vector is inferred to be a CSRF attack targeting authenticated administrators; the attacker must entice the victim to visit a crafted URL or submit a forged request. Because the vulnerability is not listed in CISA KEV, there is no known active exploitation, but the presence of stored XSS remains a significant risk.

Generated by OpenCVE AI on May 1, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ZMSEO plugin to the latest available version, which removes the CSRF vulnerability.
  • Review user‑generated content for injected scripts and remove any that appear malicious.
  • Verify that the plugin’s CSRF protection mechanisms are active, or consider disabling the plugin if it is no longer required.

Generated by OpenCVE AI on May 1, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4045 Cross-Site Request Forgery (CSRF) vulnerability in zmseo ZMSEO allows Stored XSS. This issue affects ZMSEO: from n/a through 1.14.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in zmseo ZMSEO allows Stored XSS. This issue affects ZMSEO: from n/a through 1.14.1. Cross-Site Request Forgery (CSRF) vulnerability in zmseo ZMSEO zmseo allows Stored XSS.This issue affects ZMSEO: from n/a through <= 1.14.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 07 Feb 2025 10:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in zmseo ZMSEO allows Stored XSS. This issue affects ZMSEO: from n/a through 1.14.1.
Title WordPress ZMSEO plugin <= 1.14.1 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.831Z

Reserved: 2025-02-03T13:34:51.002Z

Link: CVE-2025-25126

cve-icon Vulnrichment

Updated: 2025-02-12T20:46:01.245Z

cve-icon NVD

Status : Deferred

Published: 2025-02-07T10:15:17.980

Modified: 2026-04-23T15:25:39.530

Link: CVE-2025-25126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T17:00:11Z

Weaknesses