CVE-2025-23549

Vulnerability

Overview

The Maniac SEO plugin for WordPress, versions 2.0 and earlier, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into the response, which is then executed in the context of the victim's browser.

Exploitation

Details

Exploitation requires user interaction: a privileged user (such as an administrator) must click a crafted link, visit a specially crafted page, or submit a malicious form [1]. The attacker does not need prior authentication to the WordPress site; they can deliver the malicious link via email, social media, or other channels. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads [1]. These scripts execute when other users visit the affected site, potentially leading to session hijacking, defacement, or further compromise of the WordPress installation.

Mitigation

As of the publication date (2025-03-03), an official patch has not been released. Users are advised to update the plugin as soon as a patched version becomes available [1]. In the interim, Patchstack has issued a mitigation rule to block attacks until an official fix can be tested and safely applied [1].