Description
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the broken preg_replace expression in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows authenticated users with Contributor access to inject scripts executed by others
Action: Update Plugin
AI Analysis

Impact

The vulnerability arises from a faulty regular expression in the preg_replace call that fails to sanitize user input and escape output. This flaw permits an authenticated Contributor or higher level user to embed arbitrary JavaScript into plugin configuration pages. When another user opens the affected page, the injected script runs in their browser context. The impact is client‑side code execution that can lead to session hijacking, credential theft, or defacement of the site. The weakness matches CWE‑79, a classic reflected or stored XSS scenario.

Affected Systems

WordPress installations running the SiteSEO – SEO Simplified plugin with version 1.2.7 or earlier are affected. The flaw exists only in the source code of those releases and is not present in newer versions released after 1.2.7.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation is unlikely at this time. Because the attack requires legitimate Contributor or higher authentication, an attacker must first compromise a user’s credentials or gain access through an existing account. The plugin is not listed in the CISA KEV catalog, further reducing the immediate threat posture for most environments.

Generated by OpenCVE AI on April 20, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the SiteSEO – SEO Simplified plugin, ensuring it is above 1.2.7
  • If an update is not immediately possible, disable or uninstall the plugin to eliminate the vulnerability
  • Restrict Contributor role permissions or remove access to the plugin’s configuration fields until a patch is applied

Generated by OpenCVE AI on April 20, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25954 The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the broken preg_replace expression in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 27 Aug 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 Aug 2025 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Softaculous
Softaculous siteseo
Wordpress
Wordpress wordpress
Vendors & Products Softaculous
Softaculous siteseo
Wordpress
Wordpress wordpress

Tue, 26 Aug 2025 22:45:00 +0000

Type Values Removed Values Added
Description The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the broken preg_replace expression in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SiteSEO – SEO Simplified <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Broken Regex Expression
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Softaculous Siteseo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:50.443Z

Reserved: 2025-08-20T19:11:22.801Z

Link: CVE-2025-9277

cve-icon Vulnrichment

Updated: 2025-08-27T20:43:15.544Z

cve-icon NVD

Status : Deferred

Published: 2025-08-26T23:15:35.963

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses