Simple SEO is a lightweight WordPress plugin that generates and manages SEO meta tags (title, meta description, keywords), supports quick-edit, sitemap generation and imports from other SEO plugins. In versions up to 2.0.32, the plugin contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-10357) that allows a user with Contributor (or higher) privileges to store malicious HTML/JS inside the plugin’s SEO fields (HTML-encoded Title). The injected script executes later when the field is rendered, potentially in the context of administrators or other privileged users.
| CVE | CVE-2025-8282 |
| Plugin Version | Simple SEO < 2.0.32 |
| Critical | High |
| All Time | 170 622 |
| Active installations | 10 000+ |
| Publicly Published | September 25, 2025 |
| Last Updated | September 25, 2025 |
| Researcher | Artyom Krugov |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2025-10357 https://wpscan.com/vulnerability/24fcf8ef-603f-4e1f-905d-fbaf989a617f/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 09, 2025 | Plugin testing and vulnerability detection in the Simple SEO have been completed |
| September 09, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| September 25, 2025 | Registered CVE-2025-10357 |
Discovery of the Vulnerability
During plugin testing it was discovered that the Simple SEO meta fields (notably the HTML-encoded Title) accepted user-supplied input but did not properly sanitize or escape it before saving and rendering. As a result, a malicious contributor can insert HTML-encoded payloads that are persisted in the database and executed when an admin or an editor views the post or the area where those meta values are rendered.
Understanding Stored XSS in WordPress and real examples
Stored XSS occurs when an application stores untrusted input (in a database, comment, or plugin setting) and later renders it into a page without proper sanitization/escaping. In WordPress, stored XSS is especially dangerous because:
- WordPress is multi-user — lower-privileged users (e.g., Contributors) often create content that will be viewed by higher-privileged users (Editors, Admins).
- Plugins commonly add fields and metadata that are saved and later rendered in different contexts (admin screens, frontend, REST output).
- If rendered in an admin context, an XSS payload can run in the administrator’s session and be used to perform administrative actions.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2025-10357, an attacker with editor+ cookies:
POC:
1) Log in as a user with Contributor+ permissions. 2) Create a new post. 3) Open the Simple SEO tab in the post editor. 4) Paste the HTML-encoded payload into the Title field and save the post. 5) When a privileged user views the post (or the area where the plugin renders that title), the payload is decoded/executed in the browser. PoC payload (HTML-encoded): "><script></script><img src=x onerror=alert(777)>____
Attacker has a Contributor (or similar) account on the target WordPress site (this could be a malicious insider, a compromised contributor account, or someone who gained registration privileges).
Recommendations for Improved Security
Immediate mitigations (site administrators)
- Restrict roles: Limit who can create or edit posts with Contributor-level privileges — require review before publishing.
- Review recent posts: Inspect recently created/edited posts for suspicious meta values (especially SEO fields).
- Use a WAF / security plugin: Deploy a Web Application Firewall (Cloudflare, Sucuri) and an endpoint scanner (Wordfence, MalCare) to detect and block malicious payloads.
- Remove or sanitize suspicious entries: If you find injected content, remove it or sanitize it (do this on a staging copy first if unsure).
- Monitor logs & alerting: Enable monitoring for unusual admin actions or new admin users.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-10357 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #Stored XSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.