Impact
An unauthenticated reflected XSS flaw (CWE‑79) exists in the iRobots.txt SEO plugin for WordPress versions 1.1.2 and earlier. User supplied data, such as query parameters, is echoed back into the page without proper sanitization. A malicious actor could embed arbitrary JavaScript, enabling session hijacking, credential theft, defacement, or phishing attacks executed within the browsers of any visitor to the affected WordPress site.
Affected Systems
WordPress sites that have installed the markbeljaars iRobots.txt SEO plugin version 1.1.2 or earlier are impacted. The plugin is available in the WordPress plugin repository, and it is inferred that many sites may have installed it through that channel; however, the exact distribution level is not stated in the official description.
Risk and Exploitability
The CVSS v3.1 score of 7.1 indicates a high‑severity vulnerability, while the EPSS score of under 1% suggests a low likelihood of widespread exploitation at the time of this analysis. The flaw is not listed in the CISA KEV catalog. Because the vulnerability is unauthenticated, an attacker can trigger it simply by sending an affected user a crafted URL that causes the page to process untrusted input. The attack vector requires no special privileges beyond user access to the site.
OpenCVE Enrichment