Description
Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.37.
Published: 2025-12-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Xagio SEO WordPress plugin contains a missing authorization flaw (CWE-862) that allows attackers to bypass the intended access control settings, enabling them to modify plugin settings or retrieve sensitive data and thereby compromising the confidentiality, integrity, and availability of the WordPress site.

Affected Systems

The vulnerability affects Xagio SEO’s WordPress plugin versions up to and including 7.1.0.37, with the specific 7.1.0.29 release noted as vulnerable. Any WordPress installation that has a vulnerable version of the Xagio SEO plugin is at risk.

Risk and Exploitability

The CVSS score of 4.3 places the vulnerability in the moderate severity range, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack path involves a web‑based request to the plugin’s admin endpoints, exploiting the missing authorization check; the attacker does not need prior authentication beyond a normal WordPress user role that has plugin management rights. Since the flaw is a broken access control, any attempt to elevate privileges within the plugin’s scope can be executed by a user who normally lacks those permissions.

Generated by OpenCVE AI on April 29, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xagio SEO plugin to the latest version that addresses the access control issue.
  • Disable or uninstall the Xagio SEO plugin if upgrading is not feasible.
  • Review and restrict WordPress user roles to minimize the number of accounts with high-level privileges.

Generated by OpenCVE AI on April 29, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.35. Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.37.
Title WordPress Xagio SEO plugin <= 7.1.0.35 - Broken Access Control vulnerability WordPress Xagio SEO plugin <= 7.1.0.37 - Broken Access Control vulnerability

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.29. Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.35.
Title WordPress Xagio SEO plugin <= 7.1.0.29 - Broken Access Control vulnerability WordPress Xagio SEO plugin <= 7.1.0.35 - Broken Access Control vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xagio
Xagio xagio Seo
Vendors & Products Wordpress
Wordpress wordpress
Xagio
Xagio xagio Seo

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.29.
Title WordPress Xagio SEO plugin <= 7.1.0.29 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Xagio Xagio Seo
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:08.725Z

Reserved: 2025-10-24T14:25:44.113Z

Link: CVE-2025-63025

cve-icon Vulnrichment

Updated: 2025-12-10T17:18:11.082Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:08.363

Modified: 2026-04-23T15:34:58.747

Link: CVE-2025-63025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:30:18Z

Weaknesses