CVE-2025-23554

Vulnerability

Overview

CVE-2025-23554 is a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Off Page SEO, affecting versions from n/a through 3.0.3. The root cause is improper neutralization of user input neutralization during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the response [1].

Exploitation

An attacker can exploit this flaw by crafting a malicious link or form that, when clicked or submitted by a privileged user (e.g., an administrator), causes the injected script to execute in the victim's browser. No authentication is required to initiate the attack, but successful exploitation depends on the target user performing an action such as clicking a link or visiting a specially crafted page [1].

Impact

Successful exploitation enables the attacker to execute arbitrary scripts in the context of the victim's session. This can lead to redirects to malicious sites, injection of advertisements, theft of session cookies, or other actions that compromise the integrity and confidentiality of the affected WordPress site [1].

Mitigation

The vendor has not yet released an official patch. As an immediate measure, users should update the plugin as soon as a fix becomes available. If updating is not possible, a mitigation rule from Patchstack can block attacks until a patch is applied. Given that this vulnerability is expected to be used in mass-exploit campaigns, prompt action is strongly advised [1].