Skip to main content

Search Atlas SEO CVE-2026-57357

| EUVDEUVD-2026-41356 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-2jwq-r643-85mf
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.1 MEDIUM

Unauthenticated network-reachable reflected XSS (PR:N, AV:N) requiring a victim click (UI:R); script runs cross-context in the browser (S:C) with low confidentiality/integrity impact and no genuine availability impact (A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:16 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions.

AnalysisAI

Reflected cross-site scripting in the Search Atlas SEO WordPress plugin (versions 2.6.6 and earlier, distributed under the 'metasync' slug) lets an unauthenticated attacker inject script that executes in a victim's browser session when they follow a crafted link. Rated CVSS 7.1 with an elevated score due to a scope change, the flaw affects any WordPress site running the vulnerable plugin and can lead to session hijacking, admin action forgery, or redirection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious link with XSS payload
Delivery
Deliver link to WordPress admin via phishing
Exploit
Victim loads reflected response in browser
Execution
Injected script runs in site origin
Impact
Steal session or forge admin action

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has the Search Atlas SEO (metasync) plugin version 2.6.6 or earlier installed and active, and that a victim user follows an attacker-crafted link or loads an attacker-controlled request to that site (UI:R user interaction is mandatory - the vulnerability cannot be triggered without a victim's action). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) describes a network-reachable, low-complexity, unauthenticated attack that nonetheless requires user interaction (UI:R) - the victim must click or load a malicious link, which is the primary limiting factor typical of reflected XSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a victim WordPress site containing a malicious script payload in a parameter processed by the Search Atlas SEO plugin, then delivers it via phishing email, a forum post, or a malicious ad. When a logged-in administrator clicks the link, the reflected script executes in their browser under the site's origin, allowing theft of session cookies or forging of authenticated admin requests. …
Remediation Upgrade the Search Atlas SEO (metasync) plugin to a release later than 2.6.6 once available from the vendor; an exact fixed version was not provided in this data, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/metasync/vulnerability/wordpress-search-atlas-seo-plugin-2-6-6-reflected-cross-site-scripting-xss-vulnerability) for the patched version before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Disable and remove the Search Atlas SEO plugin (metasync slug, versions 2.6.6 and earlier) from all WordPress installations; audit for presence across the organization. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy