CVE-2025-3302 in Xagio SEO Plugin
Summary
by MITRE • 06/11/2025
The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘HTTP_REFERER’ parameter in all versions up to, and including, 7.1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.1.0.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/19/2026
The Xagio SEO plugin for WordPress represents a significant security risk through its stored cross-site scripting vulnerability that affects versions up to and including 7.1.0.16. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's handling of the HTTP_REFERER parameter, creating an attack surface that allows unauthenticated adversaries to inject malicious web scripts into the plugin's administrative interfaces. The flaw enables attackers to craft malicious payloads that persist within the plugin's data storage, making the vulnerability particularly dangerous as it can affect multiple users who access pages containing the injected scripts. The HTTP_REFERER parameter typically contains information about the source of incoming requests and is commonly used for analytics and tracking purposes, but in this case, the plugin fails to properly sanitize or escape this input before processing or displaying it within the WordPress admin environment.
The technical exploitation of this vulnerability occurs through the manipulation of the HTTP_REFERER header that WordPress passes to the Xagio SEO plugin during various administrative operations. When an attacker can control or influence this header value, they can inject malicious JavaScript code that gets stored within the plugin's data structures. This stored script executes whenever any user with appropriate privileges accesses pages that display or process the compromised referer data, creating a persistent threat vector that can affect multiple users over time. The vulnerability's classification aligns with CWE-79 which describes improper neutralization of input during web page generation, specifically highlighting the lack of proper output escaping mechanisms that should prevent malicious code from executing in web browsers. The attack vector follows the typical pattern of stored XSS where malicious input is first stored on the server and then executed in the context of a victim's browser session.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with potential access to administrative functions within the WordPress environment. Once an attacker successfully injects malicious code, they can perform actions such as modifying plugin settings, accessing sensitive data, or even escalating privileges within the WordPress installation. The vulnerability's persistence through version 7.1.0.16 indicates that while partial remediation occurred in version 7.1.0.0, the fix was incomplete or ineffective against certain attack scenarios. This leaves users running vulnerable versions at risk of having their administrative interfaces compromised, potentially allowing full control over the WordPress site's SEO configurations and underlying data. The vulnerability affects not just individual users but can compromise entire WordPress installations, especially when the plugin is used in conjunction with other security-sensitive administrative functions. The stored nature of the XSS attack means that even users who have no direct interaction with the malicious page can be affected when they access the plugin's administrative interfaces, creating a broad attack surface that can impact multiple roles within the WordPress user hierarchy.
Security mitigations for this vulnerability require immediate action from affected users to upgrade to patched versions of the Xagio SEO plugin, although the partial patching in version 7.1.0.0 suggests that additional verification may be necessary. Organizations should implement monitoring of HTTP_REFERER headers within their WordPress environments to detect potential exploitation attempts, and consider implementing web application firewalls that can identify and block malicious script injection attempts. The vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, particularly those handling user-supplied data in administrative contexts. According to ATT&CK framework, this vulnerability maps to T1059.007 for script injection techniques and T1566 for credential harvesting through web applications, indicating that exploitation could lead to broader compromise of the WordPress environment. Regular security audits of WordPress plugins should include verification of input sanitization practices and output escaping mechanisms, as this vulnerability represents a common pattern in web application security flaws that can be prevented through proper development practices and security testing procedures.