CVE-2025-60184: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the WordPress SEO Search Permalink plugin, tracked as CVE-2025-60184. The vulnerability affects versions up to 1.0.3 of the plugin and was discovered by security researcher Nabil Irawan. The issue was publicly disclosed on September 26, 2025 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 score of 5.9 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C) with low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The software is considered abandoned, as it hasn't received updates for over a year, increasing the potential security risk (Patchstack).

As no official fix is available and the software is considered abandoned, the recommended mitigation is to remove and replace the plugin with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).