Skip to main content

Xagio Seo EUVDEUVD-2026-15577

| CVE-2026-24968 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-03-25 Patchstack GHSA-v42j-73h5-995f
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15577
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.8

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo allows Privilege Escalation.This issue affects Xagio SEO: from n/a through <= 7.1.0.30.

AnalysisAI

This is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Xagio SEO WordPress plugin that allows privilege escalation. The vulnerability affects Xagio SEO versions up to and including 7.1.0.30. An attacker can exploit this flaw to elevate their privileges within the affected WordPress installation, potentially gaining administrative access or performing unauthorized actions. No CVSS score, EPSS data, or KEV status information is currently available, and the vulnerability has not been confirmed as actively exploited in the wild.

Technical ContextAI

Xagio SEO is a WordPress plugin (confirmed via CPE cpe:2.3:a:xagio_seo:xagio_seo:*:*:*:*:*:*:*:*) that provides search engine optimization functionality. The vulnerability stems from a CWE-266 (Incorrect Assignment of Privilege) condition, meaning the plugin fails to properly validate or restrict privilege assignment during its execution. This root cause typically manifests when the plugin grants elevated capabilities or roles to users without proper authorization checks, or when it improperly inherits or delegates WordPress capabilities. The flaw allows an attacker to bypass WordPress role-based access control (RBAC) mechanisms that normally restrict functionality to specific user roles (e.g., administrator, editor, author, subscriber).

RemediationAI

Immediately upgrade Xagio SEO to a patched version beyond 7.1.0.30. Consult the Patchstack security advisory (https://patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-30-privilege-escalation-vulnerability?_s_id=cve) and the Xagio SEO vendor changelog for the specific patched version number and upgrade instructions. In WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate Xagio SEO, and click Update to install the latest version. As a temporary mitigation while verifying patch availability, restrict access to the WordPress admin dashboard using Web Application Firewall (WAF) rules or network-level access controls to limit who can interact with plugin functionality. Additionally, audit current WordPress user roles and permissions to identify any unauthorized privilege escalations that may have already occurred, and consider disabling or deactivating the plugin entirely if patched versions are not yet available and the plugin is not mission-critical.

Share

EUVD-2026-15577 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy