CVE-2025-2892 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic' developed by smub. This vulnerability affects all versions up to and including 4.8.1.1. The root cause is improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of user-supplied data in the post Meta Description and Canonical URL parameters. An authenticated attacker with Contributor-level privileges or higher can exploit this flaw by injecting malicious JavaScript code into these parameters. Because the malicious script is stored persistently in the website’s database, it executes whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, but no user interaction is needed for the exploit to succeed once the malicious payload is stored. The vulnerability impacts confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. Given the widespread use of WordPress and the popularity of SEO plugins, this vulnerability poses a significant risk to websites relying on this plugin for SEO management.

For European organizations, this vulnerability could lead to unauthorized script execution on their websites, compromising user data confidentiality and website integrity. Attackers could steal session cookies, deface websites, or redirect visitors to phishing or malware sites, damaging brand reputation and customer trust. Organizations in sectors such as e-commerce, media, and government that rely heavily on WordPress for their web presence are particularly at risk. The stored nature of the XSS means that once exploited, the malicious payload can affect all visitors to the compromised pages, amplifying the impact. Additionally, GDPR compliance could be jeopardized if personal data is exposed or manipulated due to this vulnerability, leading to regulatory penalties. The medium severity score reflects the need for timely remediation, especially since exploitation requires only contributor-level access, which might be obtained through social engineering or weak credential management.

European organizations should immediately audit their WordPress installations to identify the presence of the vulnerable 'All in One SEO' plugin versions up to 4.8.1.1. Until an official patch is released, organizations should consider temporarily disabling or uninstalling the plugin to eliminate the attack surface. Implement strict access controls and review user roles to ensure that only trusted users have contributor-level or higher privileges. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the Meta Description and Canonical URL fields. Conduct regular security scans to detect injected scripts and sanitize existing content. Educate content contributors about the risks of injecting untrusted content. Once a patch is available, prioritize prompt updating of the plugin. Additionally, implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and monitor web server logs for unusual activity indicative of exploitation attempts.