Skip to main content

iRobots.txt SEO CVE-2025-68840

| EUVDEUVD-2025-210160 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-j8hq-7m8x-ppmc
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network with no auth (PR:N) but requiring victim click (UI:R); scope changes to the WordPress origin with low CIA impact via session abuse.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:43 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.

AnalysisAI

Reflected cross-site scripting in the iRobots.txt SEO WordPress plugin (versions 1.1.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 driven by a scope change, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. Exploitation requires user interaction, which limits mass-scale weaponization but makes it viable for targeted phishing against WordPress administrators.

Technical ContextAI

The affected component is iRobots.txt SEO, a WordPress plugin developed by Mark Beljaars (CPE cpe:2.3:a:markbeljaars:irobots.txt_seo) that helps site owners manage robots.txt directives for search engine optimization. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS where attacker-controlled input echoed back in an HTTP response is not properly encoded before being rendered in the DOM. Because WordPress plugins run inside the same origin as the host site, injected scripts inherit the trust boundary of the WordPress application and can interact with logged-in session state.

RemediationAI

No vendor-released patch identified at time of analysis; the Patchstack advisory does not cite a fixed version, so WordPress administrators running iRobots.txt SEO 1.1.2 or earlier should monitor https://patchstack.com/database/wordpress/plugin/irobotstxt-seo/vulnerability/wordpress-irobots-txt-seo-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability for an updated release. Until a fix ships, the most direct compensating control is to deactivate and remove the plugin entirely (trade-off: loss of the plugin's robots.txt management UI, which can be replaced by editing robots.txt manually or via another maintained SEO plugin). As interim controls, deploy a WordPress-aware web application firewall such as Patchstack, Wordfence, or Sucuri with XSS rules enabled to filter reflected script payloads in query parameters, and instruct administrators not to click external links that target the WordPress admin domain.

Share

CVE-2025-68840 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy