WordPress Plugin Vulnerabilities

Search Atlas SEO < 2.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Search Atlas SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
metasync
Fixed in 2.5.5

References

CVE
CVE-2025-58019
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c4db394c-415a-40c5-ae0e-2dfe503867d4

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
zaim
Verified
No
WPVDB ID
fa9f9b1e-aca2-45ff-8587-87e88f852d4d

Timeline

Publicly Published
2025-09-22 (about 7 months ago)
Added
2025-09-26 (about 7 months ago)
Last Updated
2025-10-02 (about 7 months ago)

Other

Published
Title
Published
2024-03-12
Title
WP Go Maps (formerly WP Google Maps) < 9.0.33 - Contributor+ Stored Cross-Site Scripting via Shortcode
Published
2025-08-20
Title
Notice Bar < 3.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-07
Title
Badgearoo <= 1.0.14 - Admin+ Stored XSS
Published
2024-05-14
Title
Borderless - Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg < 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Published
2015-08-11
Title
AddThis Sharing Buttons <= 5.0.12 - Authenticated Cross-Site Scripting (XSS)