Description
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post Meta Description and Canonical URL parameters in all versions up to, and including, 4.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The affected All in One SEO WordPress plugin fails to sanitise and escape user‑supplied input for the Post Meta Description and Canonical URL parameters. This defect allows an authenticated user with Contributor‑level or higher permissions to inject arbitrary JavaScript that is stored and rendered when anyone views the affected page, leading to potential browser‑side attacks such as cookie theft, session hijacking or defacement. The weakness corresponds to CWE‑79, a classic known vulnerability that compromises the integrity and confidentiality of web‑application traffic.

Affected Systems

Vendors: smub; Product: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic. All plugin releases up to and including 4.8.1.1 are affected. Users running any of these versions on WordPress sites with Contributor or higher roles are at risk.

Risk and Exploitability

The catalog lists a CVSS score of 6.4, indicating moderate severity. EPSS indicates a probability of exploitation of less than 1% at the time of assessment, and the vulnerability is not included in CISA’s KEV list. The likely attack vector is through authenticated access, with an attacker needing Contributor‑level or higher credentials to create or modify a post. Once the malicious script is stored, any visitor to the page will trigger its execution, making the impact visible to all users who load the page. This configuration does not require special network exposure and can be exploited from any location where the user can access the WordPress admin interface.

Generated by OpenCVE AI on April 21, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade All in One SEO to the latest released version, which removes the insecure input handling for Meta Description and Canonical URL.
  • If an upgrade is not feasible immediately, restrict Contributor and other non‑administrator roles from editing SEO meta fields through role‑based access controls or a custom plugin that disables those settings.
  • Apply a Web Application Firewall rule that filters out common XSS payloads in the Meta Description and Canonical URL parameters, providing a temporary safety net until the plugin is updated.

Generated by OpenCVE AI on April 21, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15663 The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post Meta Description and Canonical URL parameters in all versions up to, and including, 4.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 04 Jun 2025 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Aioseo
Aioseo all In One Seo
CPEs cpe:2.3:a:aioseo:all_in_one_seo:*:*:*:*:*:wordpress:*:*
Vendors & Products Aioseo
Aioseo all In One Seo

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 04:45:00 +0000

Type Values Removed Values Added
Description The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post Meta Description and Canonical URL parameters in all versions up to, and including, 4.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title All in One SEO Pack <= 4.8.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Description and Canonical URL
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Aioseo All In One Seo
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:26.113Z

Reserved: 2025-03-27T23:17:48.798Z

Link: CVE-2025-2892

cve-icon Vulnrichment

Updated: 2025-05-19T13:45:39.332Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-19T05:15:17.927

Modified: 2025-06-04T23:03:24.370

Link: CVE-2025-2892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses