CVE-2025-48307

A Cross-Site Request Forgery (CSRF) vulnerability exists in the WordPress plugin SEO For Images, affecting versions from n/a through 1.0.0. The flaw allows an unauthenticated attacker to trick a privileged user (e.g., an administrator) into submitting a crafted request, leading to Stored Cross-Site Scripting (XSS). The root cause is insufficient CSRF protection on certain plugin actions, enabling attackers to bypass same-origin policy [1].

To exploit this vulnerability, an attacker must induce a logged-in administrator to perform an action — such as clicking a malicious link, visiting a crafted page, or submitting a form — while authenticated to the WordPress admin panel. No direct authentication is required; the attack leverages the victim's session. The CSRF vector allows the attacker to inject arbitrary JavaScript into the plugin's settings or image metadata, which will be stored and executed when other users view affected pages [1].

Successful exploitation results in stored XSS, enabling the attacker to execute malicious scripts in the context of other users' browsers. This can lead to session hijacking, defacement, or redirection to phishing sites. The CVSS v3 score is 7.1 (High), reflecting the need for user interaction but the potential for broad impact across multiple sites [1]. Mass-exploit campaigns may target this vulnerability due to the plugin's wide use. As of publication, no patch is available; users should disable the plugin or apply web application firewall rules until an update is released [1].