Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (<?= ?>). An attacker can break out of the textarea element using a closing </textarea> tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page.
AnalysisAI
Stored cross-site scripting in the Sentence To SEO WordPress plugin (versions up to 1.0) allows authenticated administrators to inject arbitrary JavaScript into the plugin settings page via the 'Permanent keywords' field. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to break out of a textarea element and inject malicious scripts that execute when other users access the settings page. This requires administrator-level privileges and does not affect unauthenticated users.
Technical ContextAI
The Sentence To SEO plugin for WordPress processes user input through filter_input_array(INPUT_POST) using FILTER_DEFAULT, which performs no HTML sanitization. The unsanitized input is stored directly to the WordPress options table via update_option() without any sanitization. Upon retrieval, the stored value is output directly into an HTML textarea element using PHP short echo tags (<?= ?>) with no escaping function applied. This creates a classic stored XSS vulnerability (CWE-79) where an attacker can inject a closing </textarea> tag followed by arbitrary HTML and JavaScript to break containment and execute scripts in the DOM. The vulnerability affects the WordPress plugin architecture layer where administrative settings are managed.
RemediationAI
The primary remediation is to update the Sentence To SEO plugin to a patched version once released by the vendor. In the immediate term, administrators should disable the plugin if not actively required, or restrict administrative access to trusted users only via WordPress role and capability management. The underlying code requires two fixes: (1) apply WordPress sanitization functions such as sanitize_text_field() or wp_kses_post() to user input from filter_input_array() before storing via update_option(), and (2) use WordPress escaping functions such as esc_attr() or esc_html() when outputting the stored value in the textarea element instead of bare short echo tags. Administrators should monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/7d11b2db-d097-433f-923c-f49ef2951c0e and the WordPress plugin repository for patch availability.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24684
GHSA-95vj-cwqx-rpmc