CVE-2025-4127: 
WordPress vulnerability analysis and mitigation

The WP SEO Structured Data Schema plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-4127) discovered in versions up to and including 2.7.11. The vulnerability was disclosed on May 8, 2025, affecting the 'Price Range' parameter due to insufficient input sanitization and output escaping (NVD, Wiz).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability exists in the plugin's handling of the 'Price Range' parameter, where insufficient input sanitization and output escaping allows for the injection of malicious scripts (NVD, Wiz).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts that execute whenever an administrator accesses the plugin settings page. This could lead to potential compromise of administrator accounts and unauthorized access to sensitive plugin settings (NVD).

A fix has been released in version 2.8.0 of the WP SEO Structured Data Schema plugin. Site administrators are advised to update to this latest version immediately to address the vulnerability (WordPress Changeset).