Description
The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Price Range’ parameter in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that will execute whenever an administrator accesses the plugin settings page.
Published: 2025-05-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows arbitrary scripts to run in the administrator context.
Action: Immediate Patch
AI Analysis

Impact

The plugin has a stored cross‑site scripting flaw in the Price Range field that does not properly sanitize or escape input. An attacker with Contributor or higher privileges can insert malicious JavaScript into the field, which then executes whenever an administrator visits the plugin settings page. This gives the attacker a persistent ability to run arbitrary code in the context of the admin user, enabling session hijacking, credential theft, or site defacement.

Affected Systems

The vulnerability exists in the WP SEO Structured Data Schema plugin provided by kcseopro. All releases up to and including version 2.7.11 are affected. Systems running any earlier or later version are not impacted.

Risk and Exploitability

The CVSS score of 6.4 rates the flaw as moderate severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. Because it requires authenticated Contributor‑level access, the attack vector is limited to users who already have at least that level of permission on the WordPress site. The flaw is not listed in the CISA KEV catalog, reflecting its low observed exploitation risk.

Generated by OpenCVE AI on April 22, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP SEO Structured Data Schema plugin to a version newer than 2.7.11, if such a release exists.
  • If an upgrade is unavailable, uninstall the plugin or disable it temporarily to prevent use of the vulnerable feature.
  • Where possible, restrict the Contributor role or remove contributors that are not required, limiting the set of users who could insert malicious input.

Generated by OpenCVE AI on April 22, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13954 The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Price Range’ parameter in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that will execute whenever an administrator accesses the plugin settings page.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00033}

 epss

{'score': 0.00039}

Wed, 04 Jun 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpsemplugins
Wpsemplugins wp Seo Structured Data Schema
CPEs cpe:2.3:a:wpsemplugins:wp_seo_structured_data_schema:*:*:*:*:free:wordpress:*:*
Vendors & Products Wpsemplugins
Wpsemplugins wp Seo Structured Data Schema

Thu, 08 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 May 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Price Range’ parameter in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that will execute whenever an administrator accesses the plugin settings page.
Title WP SEO Structured Data Schema <= 2.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wpsemplugins Wp Seo Structured Data Schema
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:19.837Z

Reserved: 2025-04-30T07:43:07.570Z

Link: CVE-2025-4127

cve-icon Vulnrichment

Updated: 2025-05-08T14:09:36.617Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-08T07:15:54.727

Modified: 2025-06-04T22:46:00.467

Link: CVE-2025-4127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses