Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry L. SEO Search Permalink seo-search-permalink allows Stored XSS.This issue affects SEO Search Permalink: from n/a through <= 1.0.3.
Published: 2025-09-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper input neutralization during web page generation, enabling stored cross‑site scripting attacks. An attacker can inject malicious JavaScript that is persisted in the site’s content and executed whenever any user loads a page rendered by the plugin. This can lead to credential theft, session hijacking, defacement or compromise of other visitors, directly impacting the confidentiality and integrity of site data.

Affected Systems

The issue affects the WordPress SEO Search Permalink plugin from Terry L. for all releases through version 1.0.3. The plugin is commonly used to generate SEO‑friendly permalinks, and any site that has installed or upgraded to this version is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate quality of exploitability and impact, while an EPSS score of less than 1% suggests low observed exploitation probability at this time. The vulnerability is not present in CISA’s KEV catalog. The attack vector is inferred to be web‑based, relying on the plugin’s data storage and rendering mechanisms to persist injected code.

Generated by OpenCVE AI on April 29, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SEO Search Permalink plugin to the latest available version (at least 1.0.4) or any version that removes the stored XSS flaw
  • If an upgrade is not immediately possible, disable or delete the plugin to prevent the vulnerable code from executing
  • Bypassing the plugin’s storage path, manually review and sanitize any content that may have been injected by the vulnerability, and regenerate affected pages
  • Deploy a web application firewall rule to block typical XSS payloads targeting the plugin’s input fields

Generated by OpenCVE AI on April 29, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31229 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry L. SEO Search Permalink allows Stored XSS. This issue affects SEO Search Permalink: from n/a through 1.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry L. SEO Search Permalink allows Stored XSS. This issue affects SEO Search Permalink: from n/a through 1.0.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry L. SEO Search Permalink seo-search-permalink allows Stored XSS.This issue affects SEO Search Permalink: from n/a through <= 1.0.3.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry L. SEO Search Permalink allows Stored XSS. This issue affects SEO Search Permalink: from n/a through 1.0.3.
Title WordPress SEO Search Permalink Plugin <= 1.0.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:57.016Z

Reserved: 2025-09-25T15:28:27.830Z

Link: CVE-2025-60184

cve-icon Vulnrichment

Updated: 2025-09-26T13:16:17.860Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:48.143

Modified: 2026-04-23T15:34:21.760

Link: CVE-2025-60184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')