CVE-2025-25126

CVE-2025-25126 is a Cross-Site Request Forgery (CSRF) vulnerability in the ZMSEO WordPress plugin that allows Stored Cross-Site Scripting (XSS). This issue, associated with CWE-352, affects the ZMSEO plugin from unknown initial versions through version 1.14.1 inclusive. The vulnerability received a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and low impacts across confidentiality, integrity, and availability.

Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) by tricking authenticated users into interacting with a malicious webpage (UI:R), such as clicking a link or visiting a site that submits a forged CSRF request. This action enables the storage of XSS payloads within the plugin, potentially allowing subsequent execution in the context of other users viewing affected content.

The primary advisory from Patchstack details the CSRF-to-Stored XSS vulnerability in ZMSEO plugin version 1.14.1 and is available at https://patchstack.com/database/Wordpress/Plugin/zmseo/vulnerability/wordpress-zmseo-plugin-1-14-1-csrf-to-stored-xss-vulnerability?_s_id=cve for mitigation guidance and patch information.