Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network-reachable XSS in a WordPress plugin requires victim click (UI:R); injected script crosses trust boundary into admin session (S:C) with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.
AnalysisAI
Cross-site scripting in the SEO Redirection WordPress plugin (versions <= 9.17) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction such as clicking a crafted link. The flaw has a CVSS 3.1 score of 7.1 with scope-changed impact, indicating injected scripts can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
SEO Redirection is a WordPress plugin developed by wp-buy (CPE cpe:2.3:a:wp-buy:seo_redirection) used to manage URL redirects and 404 monitoring on WordPress sites. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is reflected or stored in HTML output without proper encoding or sanitization. In WordPress plugin contexts, this class of bug typically arises when GET/POST parameters or referer-style data are echoed into admin pages or front-end responses without escaping via WordPress APIs such as esc_html() or wp_kses(), enabling attacker-controlled HTML and JavaScript to be rendered in a victim's browser session.
RemediationAI
Upgrade the SEO Redirection plugin to a version newer than 9.17 once a fixed release is published; refer to the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/seo-redirection/vulnerability/wordpress-seo-redirection-plugin-9-17-cross-site-scripting-xss-vulnerability for the most current fixed-version information, as the input data does not explicitly confirm a specific patched version. If an immediate upgrade is not possible, compensating controls include deactivating the SEO Redirection plugin until a patched version is installed (trade-off: any custom redirect rules will stop functioning), deploying a Web Application Firewall rule to filter HTML/JavaScript payloads in requests to the plugin's endpoints (trade-off: may produce false positives on legitimate redirect rule entries containing special characters), and restricting access to the WordPress admin interface by IP allowlist to limit the population of users who could be socially engineered into clicking a malicious link. Patch status: No vendor-released patch version is identified in the available input data at time of analysis.
More in Seo Redirection
View allThe setting page of the SEO Redirection Plugin - 301 Redirect Manager WordPress plugin before 6.4 is vulnerable to refle
Multiple Cross-Site Scripting (CSRF) vulnerabilities in SEO Redirection Plugin plugin <= 8.9 on WordPress. Rated high se
Cross-Site Request Forgery (CSRF) vulnerability in SEO Redirection plugin <= 8.9 at WordPress, leading to deletion of 40
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37003
GHSA-chcp-3q6x-xgwr