CVE-2025-60184

Vulnerability

Overview The SEO Search Permalink plugin for WordPress (versions up to and including 1.0.3) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript code that persists on the server and executes in the browsers of visitors.

Exploitation

Details Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a crafted link or submitting a specially prepared form [1]. The attacker does not need direct access to the site; they can deliver the payload through social engineering or other means. Once the malicious script is stored, it will be served to any user visiting the affected page.

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of their in the context of the victim's browser. This can be used to redirect visitors to malicious sites, display unauthorized advertisements, steal session hijacking, or deface the website [1]. The vulnerability is actively used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity.

Mitigation

The plugin vendor has not released a patched version; users are advised to immediately update the plugin if a fix becomes available. As a workaround, consider disabling the plugin or implementing a Web Application Firewall (WAF) rule to block XSS payloads, or consult with a hosting provider or web developer for assistance [1].