Search criteria
3 vulnerabilities by Xagio
CVE-2024-13807 (GCVE-0-2024-13807)
Vulnerability from cvelistv5 – Published: 2025-08-28 05:24 – Updated: 2025-08-28 14:48
VLAI?
Title
Xagio SEO <= 7.1.0.5 - Unauthenticated Sensitive Information Exposure via Unprotected Back-Up Files
Summary
The Xagio SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.1.0.5 via the backup functionality due to weak filename structure and lack of protection in the directory. This makes it possible for unauthenticated attackers to extract sensitive data from backups which can include the entire database and site's files.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xagio | Xagio SEO – AI Powered SEO |
Affected:
* , ≤ 7.1.0.5
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13807",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T13:36:05.905735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:48:42.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Xagio SEO \u2013 AI Powered SEO",
"vendor": "xagio",
"versions": [
{
"lessThanOrEqual": "7.1.0.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Xagio SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.1.0.5 via the backup functionality due to weak filename structure and lack of protection in the directory. This makes it possible for unauthenticated attackers to extract sensitive data from backups which can include the entire database and site\u0027s files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T05:24:51.897Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9d7b7f4b-6acb-4ccb-8f2e-951012996ac7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.0.0.19/modules/backups/models/xagio_backups.php#L1882"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3292024/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-27T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Xagio SEO \u003c= 7.1.0.5 - Unauthenticated Sensitive Information Exposure via Unprotected Back-Up Files"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13807",
"datePublished": "2025-08-28T05:24:51.897Z",
"dateReserved": "2025-01-30T19:08:19.862Z",
"dateUpdated": "2025-08-28T14:48:42.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3302 (GCVE-0-2025-3302)
Vulnerability from cvelistv5 – Published: 2025-06-11 11:18 – Updated: 2025-06-11 13:12
VLAI?
Title
Xagio SEO <= 7.1.0.16 - Unauthenticated Stored Cross-Site Scripting via 'HTTP_REFERER'
Summary
The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘HTTP_REFERER’ parameter in all versions up to, and including, 7.1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.1.0.0.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xagio | Xagio SEO – AI Powered SEO |
Affected:
* , ≤ 7.1.0.16
(semver)
|
Credits
Jack Taylor
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-11T13:12:00.480932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T13:12:06.375Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Xagio SEO \u2013 AI Powered SEO",
"vendor": "xagio",
"versions": [
{
"lessThanOrEqual": "7.1.0.16",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jack Taylor"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Xagio SEO \u2013 AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018HTTP_REFERER\u2019 parameter in all versions up to, and including, 7.1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.1.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T11:18:37.031Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9e2afd66-c896-47c8-bf56-84a086087d55?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.0.0.34/modules/redirects/models/xagio_log404.php#L263"
},
{
"url": "https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.0.0.34/modules/redirects/models/xagio_log404.php#L335"
},
{
"url": "https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.0.0.34/modules/redirects/redirects.js#L554"
},
{
"url": "https://plugins.trac.wordpress.org/browser/xagio-seo/tags/7.0.0.34/modules/redirects/redirects.js#L662"
},
{
"url": "https://wordpress.org/plugins/xagio-seo"
},
{
"url": "https://xagio.com/redirects/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3281174/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3305780/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-10T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Xagio SEO \u003c= 7.1.0.16 - Unauthenticated Stored Cross-Site Scripting via \u0027HTTP_REFERER\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-3302",
"datePublished": "2025-06-11T11:18:37.031Z",
"dateReserved": "2025-04-04T23:02:19.382Z",
"dateUpdated": "2025-06-11T13:12:06.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24702 (GCVE-0-2025-24702)
Vulnerability from cvelistv5 – Published: 2025-01-24 17:24 – Updated: 2025-01-24 18:56
VLAI?
Title
WordPress Xagio SEO plugin <= 7.0.0.20 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xagio Xagio SEO allows Stored XSS. This issue affects Xagio SEO: from n/a through 7.0.0.20.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Credits
Peter Thaleikis (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T18:45:56.540290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T18:56:10.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "xagio-seo",
"product": "Xagio SEO",
"vendor": "Xagio",
"versions": [
{
"changes": [
{
"at": "7.0.0.21",
"status": "unaffected"
}
],
"lessThanOrEqual": "7.0.0.20",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Peter Thaleikis (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Xagio Xagio SEO allows Stored XSS.\u003c/p\u003e\u003cp\u003eThis issue affects Xagio SEO: from n/a through 7.0.0.20.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Xagio Xagio SEO allows Stored XSS. This issue affects Xagio SEO: from n/a through 7.0.0.20."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T17:24:51.689Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-0-0-20-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Xagio SEO wordpress plugin to the latest available version (at least 7.0.0.21)."
}
],
"value": "Update the WordPress Xagio SEO wordpress plugin to the latest available version (at least 7.0.0.21)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Xagio SEO plugin \u003c= 7.0.0.20 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24702",
"datePublished": "2025-01-24T17:24:51.689Z",
"dateReserved": "2025-01-23T14:52:23.105Z",
"dateUpdated": "2025-01-24T18:56:10.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}