Description
Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated path exists within the WordPress SEO Redirection plugin that allows the injection of malicious scripts. The vulnerability is a classic Cross Site Scripting flaw classified as CWE-79. An attacker who can supply crafted input—likely through a URL or plugin configuration—could cause arbitrary JavaScript to execute in the context of a visitor’s browser, enabling session hijacking, defacement, or data exfiltration.

Affected Systems

The flaw affects the WordPress SEO Redirection plugin from vendor wp-buy, versions 9.17 and earlier. Users should verify whether their installation is at or below 9.17 to determine if the vulnerability applies.

Risk and Exploitability

The published CVSS score of 7.1 indicates moderate‑to‑high severity, yet the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. This vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a web‑based input (such as a URL or form field), requiring no special privileges to utilise.

Generated by OpenCVE AI on June 18, 2026 at 03:17 UTC.

Remediation

Vendor Solution

Update the WordPress SEO Redirection Plugin to the latest available version (at least 9.18).


OpenCVE Recommended Actions

  • Update the WordPress SEO Redirection Plugin to version 9.18 or later.
  • Disable the plugin or temporarily block its usage until the update is applied to avoid exposure to the XSS payloads.
  • Configure a Web Application Firewall to filter or block common XSS attack patterns while the vulnerability is unresolved.

Generated by OpenCVE AI on June 18, 2026 at 03:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp-buy
Wp-buy seo Redirection
Vendors & Products Wordpress
Wordpress wordpress
Wp-buy
Wp-buy seo Redirection

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.
Title WordPress SEO Redirection plugin <= 9.17 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Wordpress Wordpress
Wp-buy Seo Redirection
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T21:34:26.411Z

Reserved: 2026-06-08T10:11:13.730Z

Link: CVE-2026-52702

cve-icon Vulnrichment

Updated: 2026-06-15T21:34:24.059Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:24.733

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-52702

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:30Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')