CVE-2025-3302: 
WordPress vulnerability analysis and mitigation

The Xagio SEO – AI Powered SEO plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-3302) discovered and disclosed on June 11, 2025. The vulnerability affects all versions up to and including 7.1.0.16, with the issue being partially addressed in version 7.1.0.0. This security flaw is present in the plugin's 404 monitoring functionality, specifically related to the 'HTTP_REFERER' parameter (NVD, Wiz).

The vulnerability stems from insufficient input sanitization and output escaping of the 'HTTP_REFERER' parameter in the 404 logging functionality. The security flaw has been assigned a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, indicating a high severity level with network attack vector, low attack complexity, and no privileges required (NVD, Wiz).

The vulnerability enables unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the affected page. This could potentially lead to data theft, session hijacking, or other malicious actions performed in the context of the user viewing the compromised page (Wiz).

Users are advised to update to the latest version of the plugin (currently 7.1.0.18) which includes various security improvements and bug fixes. The vulnerability was partially addressed in version 7.1.0.0, with subsequent versions providing additional security enhancements (Wiz, WordPress Plugin).