Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo allows Privilege Escalation.This issue affects Xagio SEO: from n/a through <= 7.1.0.30.
AnalysisAI
This is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Xagio SEO WordPress plugin that allows privilege escalation. The vulnerability affects Xagio SEO versions up to and including 7.1.0.30. An attacker can exploit this flaw to elevate their privileges within the affected WordPress installation, potentially gaining administrative access or performing unauthorized actions. No CVSS score, EPSS data, or KEV status information is currently available, and the vulnerability has not been confirmed as actively exploited in the wild.
Technical ContextAI
Xagio SEO is a WordPress plugin (confirmed via CPE cpe:2.3:a:xagio_seo:xagio_seo:*:*:*:*:*:*:*:*) that provides search engine optimization functionality. The vulnerability stems from a CWE-266 (Incorrect Assignment of Privilege) condition, meaning the plugin fails to properly validate or restrict privilege assignment during its execution. This root cause typically manifests when the plugin grants elevated capabilities or roles to users without proper authorization checks, or when it improperly inherits or delegates WordPress capabilities. The flaw allows an attacker to bypass WordPress role-based access control (RBAC) mechanisms that normally restrict functionality to specific user roles (e.g., administrator, editor, author, subscriber).
RemediationAI
Immediately upgrade Xagio SEO to a patched version beyond 7.1.0.30. Consult the Patchstack security advisory (https://patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-30-privilege-escalation-vulnerability?_s_id=cve) and the Xagio SEO vendor changelog for the specific patched version number and upgrade instructions. In WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate Xagio SEO, and click Update to install the latest version. As a temporary mitigation while verifying patch availability, restrict access to the WordPress admin dashboard using Web Application Firewall (WAF) rules or network-level access controls to limit who can interact with plugin functionality. Additionally, audit current WordPress user roles and permissions to identify any unauthorized privilege escalations that may have already occurred, and consider disabling or deactivating the plugin entirely if patched versions are not yet available and the plugin is not mission-critical.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15577
GHSA-v42j-73h5-995f