Description
Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated reflected XSS flaw exists in the Search Atlas SEO WordPress plugin when its search query is not properly validated before being reflected in the response. Because the vulnerability allows arbitrary JavaScript to execute in the browser context of any visitor who submits a crafted search term, an attacker can exfiltrate authentication cookies, impersonate users, or display deceptive content, thereby compromising confidentiality, integrity, and potentially availability of the site’s user interactions. The weakness corresponds to CWE-79, a classic input validation failure that permits execution of attacker-supplied code.

Affected Systems

The vulnerability affects the Search Atlas SEO plugin distributed by Search Atlas Group. Versions up to and including 2.6.6 are impacted; any release 2.6.7 or later applies the fix.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk level, and the lack of an EPSS score suggests insufficient publicly available exploitation data at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is an unauthenticated web request to the plugin’s search interface, implying that any user visiting the site can trigger the exploit by supplying a malicious query. Completing the request chain does not require elevated privileges or special credentials, making the flaw widely exploitable.

Generated by OpenCVE AI on July 2, 2026 at 15:16 UTC.

Remediation

Vendor Solution

Update the WordPress Search Atlas SEO Plugin to the latest available version (at least 2.6.7).


OpenCVE Recommended Actions

  • Apply the latest release of the Search Atlas SEO plugin (version 2.6.7 or newer).
  • If upgrading immediately is not possible, filter and escape any search query parameters server‑side to prevent script reflection before rendering the page.
  • Consider disabling the Search Atlas SEO plugin altogether if it is not essential to site functionality until a patched release is applied.

Generated by OpenCVE AI on July 2, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions.
Title WordPress Search Atlas SEO plugin <= 2.6.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T15:53:22.538Z

Reserved: 2026-06-24T12:45:36.889Z

Link: CVE-2026-57357

cve-icon Vulnrichment

Updated: 2026-07-02T13:33:33.680Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')