Impact
An unauthenticated reflected XSS flaw exists in the Search Atlas SEO WordPress plugin when its search query is not properly validated before being reflected in the response. Because the vulnerability allows arbitrary JavaScript to execute in the browser context of any visitor who submits a crafted search term, an attacker can exfiltrate authentication cookies, impersonate users, or display deceptive content, thereby compromising confidentiality, integrity, and potentially availability of the site’s user interactions. The weakness corresponds to CWE-79, a classic input validation failure that permits execution of attacker-supplied code.
Affected Systems
The vulnerability affects the Search Atlas SEO plugin distributed by Search Atlas Group. Versions up to and including 2.6.6 are impacted; any release 2.6.7 or later applies the fix.
Risk and Exploitability
The CVSS score of 7.1 indicates a high risk level, and the lack of an EPSS score suggests insufficient publicly available exploitation data at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is an unauthenticated web request to the plugin’s search interface, implying that any user visiting the site can trigger the exploit by supplying a malicious query. Completing the request chain does not require elevated privileges or special credentials, making the flaw widely exploitable.
OpenCVE Enrichment