Description
Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated reflected XSS flaw (CWE‑79) exists in the iRobots.txt SEO plugin for WordPress versions 1.1.2 and earlier. User supplied data, such as query parameters, is echoed back into the page without proper sanitization. A malicious actor could embed arbitrary JavaScript, enabling session hijacking, credential theft, defacement, or phishing attacks executed within the browsers of any visitor to the affected WordPress site.

Affected Systems

WordPress sites that have installed the markbeljaars iRobots.txt SEO plugin version 1.1.2 or earlier are impacted. The plugin is available in the WordPress plugin repository, and it is inferred that many sites may have installed it through that channel; however, the exact distribution level is not stated in the official description.

Risk and Exploitability

The CVSS v3.1 score of 7.1 indicates a high‑severity vulnerability, while the EPSS score of under 1% suggests a low likelihood of widespread exploitation at the time of this analysis. The flaw is not listed in the CISA KEV catalog. Because the vulnerability is unauthenticated, an attacker can trigger it simply by sending an affected user a crafted URL that causes the page to process untrusted input. The attack vector requires no special privileges beyond user access to the site.

Generated by OpenCVE AI on June 18, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iRobots.txt SEO plugin to the latest version available, ensuring it is newer than 1.1.2, to eliminate the unsanitized echo of user input.
  • If an immediate upgrade is not possible, disable or delete the plugin to eliminate the attack surface.
  • Apply a web‑application firewall rule to block or sanitize payloads that match typical XSS input patterns on the affected URLs.
  • Check the plugin developer’s website or the WordPress plugin repository for a security patch or updated version.

Generated by OpenCVE AI on June 18, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Markbeljaars
Markbeljaars irobots.txt Seo
Wordpress
Wordpress wordpress
Vendors & Products Markbeljaars
Markbeljaars irobots.txt Seo
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
Title WordPress iRobots.txt SEO plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Markbeljaars Irobots.txt Seo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:09:58.366Z

Reserved: 2025-12-24T13:59:58.566Z

Link: CVE-2025-68840

cve-icon Vulnrichment

Updated: 2026-06-15T22:09:51.342Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:38.313

Modified: 2026-06-15T21:24:32.790

Link: CVE-2025-68840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:08:09Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')