WordPress Plugin Vulnerabilities

SEO Bulk Editor <= 1.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Description

The SEO Bulk Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
seo-bulk-editor
No known fix

References

CVE
CVE-2025-22587
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/881b8b18-d048-4de4-a797-a5de60d7fd3e

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
SOPROBRO
Verified
No
WPVDB ID
f5b08586-a3d4-4feb-b622-8ccfccab952d

Timeline

Publicly Published
2025-01-07 (about 1 year ago)
Added
2025-01-20 (about 1 year ago)
Last Updated
2025-01-20 (about 1 year ago)

Other

Published
Title
Published
2021-08-11
Title
Software License Manager < 4.4.8 - Reflected Cross-Site Scripting
Published
2025-02-02
Title
Social Links <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2017-05-24
Title
AffiliateWP <= 2.0.9 - Authenticated Cross-Site Scripting (XSS)
Published
2024-06-18
Title
Ultimate Blocks – WordPress Blocks Plugin < 3.1.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox
Published
2022-12-28
Title
WPZOOM Portfolio < 1.2.2 - Contributor+ Stored XSS via Shortcode