CVE-2025-4611: 
WordPress vulnerability analysis and mitigation

The Slim SEO WordPress plugin (versions up to and including 4.5.3) contains a Stored Cross-Site Scripting vulnerability via the plugin's slimseobreadcrumbs shortcode. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes. This security issue was discovered and reported in May 2025 (NVD, Wiz).

The vulnerability exists in the breadcrumbs functionality where user input was not properly sanitized before being output in the HTML. Specifically, the issue was in the Breadcrumbs.php file where text values were being directly output without proper escaping. The vulnerability has a CVSS v3.1 Base Score of 6.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page that contains the injected content (NVD).

The vulnerability has been patched in version 4.5.4 of the Slim SEO plugin. The fix includes proper escaping of output using WordPress escape functions like escattr, escurl, and esc_html (GitHub Commit). Users are advised to update to version 4.5.4 or later to protect against this vulnerability (WordPress Plugin).