Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network with no auth (PR:N) but requiring victim click (UI:R); scope changes to the WordPress origin with low CIA impact via session abuse.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
AnalysisAI
Reflected cross-site scripting in the iRobots.txt SEO WordPress plugin (versions 1.1.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 driven by a scope change, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. Exploitation requires user interaction, which limits mass-scale weaponization but makes it viable for targeted phishing against WordPress administrators.
Technical ContextAI
The affected component is iRobots.txt SEO, a WordPress plugin developed by Mark Beljaars (CPE cpe:2.3:a:markbeljaars:irobots.txt_seo) that helps site owners manage robots.txt directives for search engine optimization. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS where attacker-controlled input echoed back in an HTTP response is not properly encoded before being rendered in the DOM. Because WordPress plugins run inside the same origin as the host site, injected scripts inherit the trust boundary of the WordPress application and can interact with logged-in session state.
RemediationAI
No vendor-released patch identified at time of analysis; the Patchstack advisory does not cite a fixed version, so WordPress administrators running iRobots.txt SEO 1.1.2 or earlier should monitor https://patchstack.com/database/wordpress/plugin/irobotstxt-seo/vulnerability/wordpress-irobots-txt-seo-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability for an updated release. Until a fix ships, the most direct compensating control is to deactivate and remove the plugin entirely (trade-off: loss of the plugin's robots.txt management UI, which can be replaced by editing robots.txt manually or via another maintained SEO plugin). As interim controls, deploy a WordPress-aware web application firewall such as Patchstack, Wordfence, or Sucuri with XSS rules enabled to filter reflected script payloads in query parameters, and instruct administrators not to click external links that target the WordPress admin domain.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210160
GHSA-j8hq-7m8x-ppmc