Skip to main content

Xagio SEO Xagio SEO CVE-2025-63025

MEDIUM
Missing Authorization (CWE-862)
2025-12-09 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 4.3

DescriptionCVE.org

Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.35.

AnalysisAI

Xagio SEO WordPress plugin through version 7.1.0.35 contains a missing authorization vulnerability that allows authenticated users to perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%), affecting authenticated users who can bypass intended access restrictions to modify plugin functionality or settings.

Technical ContextAI

The vulnerability stems from CWE-862 (Missing Authorization), a class of flaws where the application fails to verify that a user has appropriate permissions before performing sensitive operations. In Xagio SEO, the access control mechanisms that determine which authenticated users can execute specific administrative or privileged functions are improperly configured, allowing users with limited privileges (PR:L in CVSS) to access functionality intended for higher-privilege accounts. This is a common issue in WordPress plugins where role-based access control (RBAC) checks are incomplete or missing from action handlers, allowing any authenticated user to call administrative AJAX endpoints or REST API routes without proper capability verification.

Affected ProductsAI

Xagio SEO WordPress plugin versions from an unspecified baseline through version 7.1.0.35 are affected. The vulnerability impacts all installations of this plugin on WordPress sites running the affected versions. Per Patchstack's advisory (https://patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-29-broken-access-control-vulnerability), the plugin is distributed via the WordPress plugin repository and affects site administrators and users with contributor or higher roles who may inadvertently grant access to unauthorized functions.

RemediationAI

Update Xagio SEO to the latest patched version released after 7.1.0.35. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-29-broken-access-control-vulnerability for the exact fixed version number. As an immediate workaround, restrict WordPress user roles and capabilities to only trusted administrators, and audit existing user permissions to ensure non-administrators do not have unintended elevated privileges. Additionally, monitor access logs for unauthorized plugin configuration changes.

Share

CVE-2025-63025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy