Phillip.Gooch Auto SEO for WordPress contains a cross‑site request forgery flaw that allows an attacker to inject malicious script into stored configuration data. The injected script is then rendered when an administrator or any user with access views the affected page, enabling client‑side code execution in the victim’s browser. This can result in credential theft, session hijacking, defacement, or further lateral movement within the site’s administrative interface.

The vulnerability exists in Auto SEO versions up to and including 2.5.6. All installations of the plugin from earlier unspecified releases through 2.5.6 are potentially impacted, regardless of the WordPress core version. No specific hardware or operating system requirements are noted, and the attack targets the WordPress admin area rather than the underlying server environment.

The CVSS score of 7.1 indicates a high severity level, while the EPSS score of less than 1% suggests a low current likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to be authenticated with sufficient privileges to submit a crafted CSRF request; the attacker must generate a request that the victim’s browser will submit, relying on the victim’s session cookie. Once the input is stored, any subsequent page rendering by an authorized user executes the injected script.