Simple SEO < 2.0.32 – Contributor+ Stored XSS | CVE 2025-10357 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

Proof of Concept

1. Create a new Post and Go to the Simple SEO tab.
2. Insert the XSS payload into the HTML-encoded SEO Title and save the POST. Payload: "&gt;&lt;script&gt;&lt;/script&gt;&lt;img src=x onerror=alert(777)&gt;

Affects Plugins

Fixed in 2.0.32

References

CVE

URL

https://research.cleantalk.org/cve-2025-10357

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Submitter website

https://cleantalk.org

Verified

Yes

WPVDB ID

24fcf8ef-603f-4e1f-905d-fbaf989a617f

Timeline

Publicly Published

2025-09-23 (about 3 months ago)

Added

2025-09-23 (about 3 months ago)

Last Updated

2025-09-23 (about 3 months ago)

Other

Published

Title

Published

2025-01-27

Title

WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms < 1.1.7 - Reflected Cross-Site Scripting

Published

2024-03-15

Title

ElementsKit Elementor addons < 3.0.5 - Contributor+ Stored XSS

Published

2025-04-25

Title

Document Management System <= 1.24 - Reflected Cross-Site Scripting

Published

2023-01-11

Title

Flexible Captcha <= 4.1 - Contributor+ Stored XSS

Published

2022-03-15

Title

Super Socializer < 7.13.30 - Reflected Cross-Site Scripting