CVE-2025-23554 is a high-severity security vulnerability classified as Improper Neutralization of Input During Web Page Generation — commonly known as a reflected Cross-Site Scripting (XSS) flaw. It affects the Off Page SEO plugin for WordPress up through version 3.0.3.

Vulnerability Details

• Type: Reflected Cross-Site Scripting (XSS) – CWE-79
• Product Affected: Off Page SEO WordPress plugin by Jakub Glos
• Vulnerable Versions: up through 3.0.3
• Impact: Allows attackers to inject malicious scripts into web pages viewed by other users.

Severity

• CVSS v3.1 Base Score:7.1 (High)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Impact on Confidentiality, Integrity, Availability: Low to Moderate

What This Means

An attacker could craft a malicious URL or input that, when interacted with (e.g., clicking a link), triggers the plugin to include unvalidated input in a generated page. This can result in execution of attacker-controlled JavaScript in the victim’s browser, potentially leading to session hijacking, phishing, or other unauthorized actions.

Mitigation & Recommendations

• Update or Patch: If an official fix is released by the plugin author, update to the latest secure version.
• Workaround: Until patched, consider disabling or replacing the affected plugin.
• Defensive Controls: Use a Web Application Firewall (WAF) or XSS filtering tools on your site to help block exploit attempts.
• Security Best Practices: Regularly keep all plugins and WordPress core up to date and only use trusted plugins from reputable sources.