Impact
An unauthenticated path exists within the WordPress SEO Redirection plugin that allows the injection of malicious scripts. The vulnerability is a classic Cross Site Scripting flaw classified as CWE-79. An attacker who can supply crafted input—likely through a URL or plugin configuration—could cause arbitrary JavaScript to execute in the context of a visitor’s browser, enabling session hijacking, defacement, or data exfiltration.
Affected Systems
The flaw affects the WordPress SEO Redirection plugin from vendor wp-buy, versions 9.17 and earlier. Users should verify whether their installation is at or below 9.17 to determine if the vulnerability applies.
Risk and Exploitability
The published CVSS score of 7.1 indicates moderate‑to‑high severity, yet the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. This vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a web‑based input (such as a URL or form field), requiring no special privileges to utilise.
OpenCVE Enrichment