Refine your search
2 vulnerabilities found for by kcseopro
CVE-2025-62118 (GCVE-0-2025-62118)
Vulnerability from cvelistv5
Published
2025-12-31 12:59
Modified
2026-04-28 16:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kcseopro AdWords Conversion Tracking Code adwords-conversion-tracking-code allows Stored XSS.This issue affects AdWords Conversion Tracking Code: from n/a through <= 1.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kcseopro | AdWords Conversion Tracking Code |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-31T15:06:01.089583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-31T15:06:09.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "adwords-conversion-tracking-code",
"product": "AdWords Conversion Tracking Code",
"vendor": "kcseopro",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:43:15.841Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in kcseopro AdWords Conversion Tracking Code adwords-conversion-tracking-code allows Stored XSS.\u003cp\u003eThis issue affects AdWords Conversion Tracking Code: from n/a through \u003c= 1.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in kcseopro AdWords Conversion Tracking Code adwords-conversion-tracking-code allows Stored XSS.This issue affects AdWords Conversion Tracking Code: from n/a through \u003c= 1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:14:02.223Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/adwords-conversion-tracking-code/vulnerability/wordpress-adwords-conversion-tracking-code-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress AdWords Conversion Tracking Code plugin \u003c= 1.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-62118",
"datePublished": "2025-12-31T12:59:08.280Z",
"dateReserved": "2025-10-07T15:41:34.897Z",
"dateUpdated": "2026-04-28T16:14:02.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-4127 (GCVE-0-2025-4127)
Vulnerability from cvelistv5
Published
2025-05-08 06:39
Modified
2026-04-08 16:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Price Range’ parameter in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that will execute whenever an administrator accesses the plugin settings page.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kcseopro | WP SEO Structured Data Schema |
Version: 0 ≤ 2.7.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T14:09:29.870648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-08T14:09:41.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP SEO Structured Data Schema",
"vendor": "kcseopro",
"versions": [
{
"lessThanOrEqual": "2.7.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "J\u00f6rg Steinstr\u00e4ter"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018Price Range\u2019 parameter in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that will execute whenever an administrator accesses the plugin settings page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:19.837Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/24f6c4e4-11c3-476f-9f50-42053b625ab8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-seo-structured-data-schema/trunk/lib/classes/KcSeoHelper.php#L7"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3289009/wp-seo-structured-data-schema"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-05-07T17:42:22.000Z",
"value": "Disclosed"
}
],
"title": "WP SEO Structured Data Schema \u003c= 2.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-4127",
"datePublished": "2025-05-08T06:39:50.774Z",
"dateReserved": "2025-04-30T07:43:07.570Z",
"dateUpdated": "2026-04-08T16:42:19.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}