WordPress Plugin Vulnerabilities

Xagio SEO < 7.1.0.6 - Unauthenticated Sensitive Information Exposure via Unprotected Back-Up Files

Description

The Xagio SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.1.0.5 via the backup functionality due to weak filename structure and lack of protection in the directory. This makes it possible for unauthenticated attackers to extract sensitive data from backups which can include the entire database and site's files.

Affects Plugins

Plugin icon
xagio-seo
Fixed in 7.1.0.6

References

CVE
CVE-2024-13807
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9d7b7f4b-6acb-4ccb-8f2e-951012996ac7

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
ae42084b-ca20-4c1b-86b0-5f80a91777aa

Timeline

Publicly Published
2025-08-27 (about 9 months ago)
Added
2025-08-27 (about 9 months ago)
Last Updated
2025-08-28 (about 9 months ago)

Other

Published
Title
Published
2025-02-14
Title
Customer Email Verification for WooCommerce < 2.9.5 - Authenticated (Contributor+) Sensitive Information Exposure
Published
2025-03-31
Title
Awesome Support – WordPress HelpDesk & Support Plugin < 6.3.2 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory
Published
2025-04-17
Title
wpLike2Get <= 1.2.9 - Unauthenticated Information Exposure
Published
2025-09-12
Title
Multiple Plugins and Themes by inkthemes - Unauthenticated Information Exposure
Published
2025-01-31
Title
Directorist – AI-Powered WordPress Business Directory Plugin with Classified Ads Listings < 8.1 - Unauthenticated User Information Exposure