CVE-2025-23554
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jakub Glos Off Page SEO off-page-seo allows Reflected XSS.This issue affects Off Page SEO: from n/a through <= 3.0.3.
Analysis
Reflected cross-site scripting (XSS) in the Off Page SEO WordPress plugin through version 3.0.3 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code has been identified, and the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the moderate theoretical attack surface.
Technical Context
This vulnerability is a reflected XSS flaw classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a foundational web application security weakness. The Off Page SEO plugin, a WordPress component, fails to properly sanitize or validate user-supplied input before rendering it in HTML output. Reflected XSS differs from stored XSS in that the malicious payload is not persisted in a database but rather delivered via a manipulated URL parameter. When a victim clicks a malicious link, the unfiltered input is reflected in the response, and the browser executes it as trusted code within the context of the WordPress site's domain. This affects the plugin's user-facing functionality where query parameters or form inputs are echoed back without adequate escaping or content security policies.
Affected Products
Off Page SEO WordPress plugin versions from an unspecified baseline through and including version 3.0.3 are affected. The plugin is distributed via the WordPress.org plugin repository and is identifiable by the CPE identifier related to WordPress plugins. Users running any version of the Off Page SEO plugin at or below 3.0.3 are vulnerable to reflected XSS attacks. Detailed version history and exact affected ranges should be verified through the official WordPress plugin page and the Patchstack vulnerability database linked in the references.
Remediation
The primary remediation is to update the Off Page SEO plugin to a version newer than 3.0.3 (patch version not explicitly specified in available data, so users should check the WordPress plugin repository for the latest available release). Users should navigate to their WordPress dashboard, go to Plugins, locate Off Page SEO, and click Update if available. As an interim workaround, administrators can temporarily deactivate the plugin if it is not critical to operations, or implement Web Application Firewall (WAF) rules to filter out common XSS payloads from incoming requests. Additionally, enabling WordPress security hardening measures such as Content Security Policy (CSP) headers and limiting plugin access to trusted administrators can reduce exposure. For detailed patch information and vendor guidance, consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/off-page-seo/vulnerability/wordpress-off-page-seo-plugin-3-0-3-reflected-cross-site-scripting-xss-vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today