High severity7.1NVD Advisory· Published Mar 3, 2025· Updated Apr 23, 2026

CVE-2025-25158

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Antonio Sanchez Uncomplicated SEO uncomplicated-seo allows Reflected XSS.This issue affects Uncomplicated SEO: from n/a through <= 1.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Uncomplicated SEO WordPress plugin (<=1.2) allows attackers to inject malicious scripts via crafted requests, requiring user interaction.

Vulnerability

Overview The Uncomplicated SEO plugin for WordPress, versions up to and including 1.2, is vulnerable to Reflected Cross-Site Scripting (XSS) due to improper neutralization of user input during page generation [1]. This allows an attacker to inject arbitrary web scripts or HTML into a page.

Exploitation

To exploit this vulnerability, an attacker would need to trick a privileged user (such as an administrator) into clicking a malicious link or visiting a crafted page. The attack does not require authentication but depends on user interaction. Once triggered, the injected script executes in the context of the victim's browser [1].

Impact

Successful exploitation could allow an attacker to perform actions such as redirecting visitors, displaying advertisements, or stealing sensitive information like session tokens. This can compromise the security and integrity of the WordPress site [1].

Mitigation

The vendor has not released an official patch as of the publication date. However, immediate action is recommended: update the plugin if a patched version becomes available. Alternatively, consider using a security plugin like Patchstack to block attacks until an official fix is applied [1].

References

Cross Site Scripting (XSS) in WordPress Uncomplicated SEO Plugin

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Uncomplicated Seoinferred
Range: <=1.2
Package: https://wordpress.org/plugins/uncomplicated-seo

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/uncomplicated-seo/vulnerability/wordpress-uncomplicated-seo-plugin-1-2-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000