Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DELUCKS DELUCKS SEO delucks-seo allows Stored XSS.This issue affects DELUCKS SEO: from n/a through <= 2.5.9.
Published: 2025-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DELUCKS SEO plugin for WordPress contains an improper neutralization of input during web page generation, allowing stored cross‑site scripting. In the vulnerable versions, unsanitized data entered through the plugin’s configuration or post metadata is saved and later rendered directly into web pages. Attacks that succeed can inject and execute arbitrary scripts in the browsers of site visitors, potentially exposing session cookies, hijacking user sessions, defacing content, or loading malicious third‑party resources.

Affected Systems

All WordPress sites that have the DELUCKS SEO plugin installed on any version up to 2.5.9, including 2.5.9 itself, are affected. No version higher than 2.5.9 is known to contain the flaw.

Risk and Exploitability

It has a CVSS score of 6.5, indicating a medium impact. The EPSS score is under 1 %, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves unauthenticated or authenticated users submitting input via the plugin’s administrative interface that is later stored; the attacker does not need to compromise the server but merely supply malicious payloads that the plugin stores and renders. Exploitation requires the ability to insert data into the plugin’s configuration or content fields, which may be limited to admins or contributors depending on the site’s role configuration.

Generated by OpenCVE AI on April 30, 2026 at 13:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the DELUCKS SEO plugin to the latest available version that fixes the XSS flaw, such as 2.6.0 or newer.
  • Remove or sanitize any legacy content that may have stored malicious scripts, including titles, meta descriptions, or other plugin fields, by reviewing recent posts and cleaning data manually.
  • Implement a Content Security Policy that blocks inline scripts or employ a web application firewall to detect and block malicious payloads until the plugin is updated.

Generated by OpenCVE AI on April 30, 2026 at 13:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13721 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DELUCKS DELUCKS SEO allows Stored XSS. This issue affects DELUCKS SEO: from n/a through 2.5.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DELUCKS DELUCKS SEO allows Stored XSS. This issue affects DELUCKS SEO: from n/a through 2.5.9. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DELUCKS DELUCKS SEO delucks-seo allows Stored XSS.This issue affects DELUCKS SEO: from n/a through <= 2.5.9.
Title WordPress DELUCKS SEO <= 2.5.9 - Cross Site Scripting (XSS) Vulnerability WordPress DELUCKS SEO plugin <= 2.5.9 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00045}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DELUCKS DELUCKS SEO allows Stored XSS. This issue affects DELUCKS SEO: from n/a through 2.5.9.
Title WordPress DELUCKS SEO <= 2.5.9 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Delucks Delucks Seo
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:49.618Z

Reserved: 2025-05-07T10:45:37.287Z

Link: CVE-2025-47686

cve-icon Vulnrichment

Updated: 2025-05-07T17:18:28.504Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:20.610

Modified: 2026-04-23T15:30:44.707

Link: CVE-2025-47686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:15:37Z

Weaknesses