CVE-2025-63025

MEDIUM
2025-12-09 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.35.

Analysis

Xagio SEO WordPress plugin through version 7.1.0.35 contains a missing authorization vulnerability that allows authenticated users to perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%), affecting authenticated users who can bypass intended access restrictions to modify plugin functionality or settings.

Technical Context

The vulnerability stems from CWE-862 (Missing Authorization), a class of flaws where the application fails to verify that a user has appropriate permissions before performing sensitive operations. In Xagio SEO, the access control mechanisms that determine which authenticated users can execute specific administrative or privileged functions are improperly configured, allowing users with limited privileges (PR:L in CVSS) to access functionality intended for higher-privilege accounts. This is a common issue in WordPress plugins where role-based access control (RBAC) checks are incomplete or missing from action handlers, allowing any authenticated user to call administrative AJAX endpoints or REST API routes without proper capability verification.

Affected Products

Xagio SEO WordPress plugin versions from an unspecified baseline through version 7.1.0.35 are affected. The vulnerability impacts all installations of this plugin on WordPress sites running the affected versions. Per Patchstack's advisory (https://patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-29-broken-access-control-vulnerability), the plugin is distributed via the WordPress plugin repository and affects site administrators and users with contributor or higher roles who may inadvertently grant access to unauthorized functions.

Remediation

Update Xagio SEO to the latest patched version released after 7.1.0.35. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-29-broken-access-control-vulnerability for the exact fixed version number. As an immediate workaround, restrict WordPress user roles and capabilities to only trusted administrators, and audit existing user permissions to ensure non-administrators do not have unintended elevated privileges. Additionally, monitor access logs for unauthorized plugin configuration changes.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-63025 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy