[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fiV6ye1Ho8sE0QtQ8d6-FmWHG78bsmqDFzPONsVHRi7s":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-24968","xagio-seo-ai-powered-seo-unauthenticated-privilege-escalation","Xagio SEO – AI Powered SEO \u003C= 7.1.0.30 - Unauthenticated Privilege Escalation","The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.1.0.30. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.","xagio-seo",null,"\u003C=7.1.0.30","7.1.0.31","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Incorrect Privilege Assignment","2026-03-12 00:00:00","2026-03-19 15:48:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2b409d63-a2e2-4304-90f2-dfa11db54be1?source=api-prod",8,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Ficons.css","assets\u002Fjs\u002Fvendor\u002Fflowchart.js","inc\u002Fxagio_core.php","modules\u002Focw\u002Fmodels\u002Fxagio_ocw.php","modules\u002Focw\u002Focw.css","modules\u002Fseo\u002Fmodels\u002Fxagio_tinymce.php","modules\u002Fsettings\u002Fpage.php","modules\u002Fsettings\u002Fsettings.css","researched",false,3,"\n        ```\n        The options are prefixed with `XAGIO_`.\n\n    *   **WAIT!!** I found the vulnerability by searching for the CVE and the plugin.\n        It's in the `XAGIO_CORE::checkVersion()` or a similar global init function.\n        Actually, the vulnerability is in the way the plugin handles its \"Registration\" or \"Wizard\".\n        There's a specific action `xagio_register_user` or something similar that doesn't check for permissions.\n\n        Wait, let's look at `modules\u002Focw\u002Fmodels\u002Fxagio_ocw.php` again.\n        Is there any other model? `modules\u002Fcore\u002Fmodels\u002Fxagio_core.php`?\n        The description says \"AI Powered SEO\".\n\n    *   Let's look at `XAGIO_MODEL_OCW::initialize()` again.\n        ```php\n        if (!XAGIO_HAS_ADMIN_PERMISSIONS)\n            return;\n        ```\n        This check is *inside* `initialize`.\n\n    *   What if a model *doesn't* have that check?\n        `XAGIO_MODEL_TINYMCE` doesn't.\n        What other models are there? `xagio_get_models()` is called.\n        Based on the file list, we have:\n        - `ocw`\n        - `seo`\n        - `settings` (I see `modules\u002Fsettings\u002Fpage.php`)","The Xagio SEO plugin for WordPress is vulnerable to unauthenticated privilege escalation due to the exposure of the plugin's API key in frontend scripts and a lack of capability checks on sensitive backend functions. An attacker can leverage the leaked API key and unprotected hooks to modify plugin settings or perform administrative actions, potentially leading to a full site takeover.","\u002F\u002F inc\u002Fxagio_core.php:230-238\n\u002F\u002F The plugin localizes the API key, making it accessible to unauthenticated visitors on the frontend.\n$xagio_localized_data = [\n    'domain'          => XAGIO_DOMAIN,\n    'uploads_dir'     => wp_upload_dir(),\n    'connected'       => XAGIO_CONNECTED,\n    'api_key'         => XAGIO_API::getAPIKey(),\n    'nonce'           => wp_create_nonce('xagio_nonce'),\n    \u002F\u002F ...\n];\n\n---\n\n\u002F\u002F modules\u002Fseo\u002Fmodels\u002Fxagio_tinymce.php:73-81\n\u002F\u002F The initialize method registers administrative hooks without checking the XAGIO_HAS_ADMIN_PERMISSIONS constant.\npublic static function initialize()\n{\n    \u002F\u002F ... (logic to skip loading in certain builders)\n    add_action('admin_post_xagio_pixabay_download', [\n        'XAGIO_MODEL_TINYMCE',\n        'pixabayDownloadImage'\n    ]);\n}\n\npublic static function pixabayDownloadImage()\n{\n    check_ajax_referer('xagio_nonce', '_xagio_nonce');\n    \u002F\u002F Missing current_user_can() check allows any logged-in user to trigger image downloads and attachments.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxagio-seo\u002F7.1.0.30\u002Finc\u002Fxagio_core.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxagio-seo\u002F7.1.0.31\u002Finc\u002Fxagio_core.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxagio-seo\u002F7.1.0.30\u002Finc\u002Fxagio_core.php\t2025-12-12 11:54:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxagio-seo\u002F7.1.0.31\u002Finc\u002Fxagio_core.php\t2025-12-23 15:47:08.000000000 +0000\n@@ -232,7 +232,6 @@\n                     'domain'          => XAGIO_DOMAIN,\n                     'uploads_dir'     => wp_upload_dir(),\n                     'connected'       => XAGIO_CONNECTED,\n-                    'api_key'         => XAGIO_API::getAPIKey(),\n                     'nonce'           => wp_create_nonce('xagio_nonce'),\n                     '_wpnonce'        => wp_create_nonce('elementor_revert_kit'),\n                     'elementor_nonce' => wp_create_nonce('elementor_ajax')\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxagio-seo\u002F7.1.0.30\u002Fmodules\u002Fseo\u002Fmodels\u002Fxagio_tinymce.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxagio-seo\u002F7.1.0.31\u002Fmodules\u002Fseo\u002Fmodels\u002Fxagio_tinymce.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxagio-seo\u002F7.1.0.30\u002Fmodules\u002Fseo\u002Fmodels\u002Fxagio_tinymce.php\t2025-12-12 11:54:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fxagio-seo\u002F7.1.0.31\u002Fmodules\u002Fseo\u002Fmodels\u002Fxagio_tinymce.php\t2025-12-23 15:47:08.000000000 +0000\n@@ -73,39 +73,75 @@\n \n         public static function pixabayDownloadImage()\n         {\n-\n             check_ajax_referer('xagio_nonce', '_xagio_nonce');\n \n-            if (!isset($_POST['img'], $_POST['title'])) {\n-                wp_die('Required parameters are missing.', 'Missing Parameters', ['response' => 400]);\n+            \u002F\u002F Block Subscribers \u002F low-privilege users\n+            if ( ! is_user_logged_in() || ! current_user_can('upload_files') ) {\n+                xagio_json('error', 'Forbidden.');\n+            }","The exploit methodology involves leveraging information disclosure and missing authorization checks:\n\n1. Information Extraction: An unauthenticated attacker visits the target site and views the page source. They locate the `xagio_data` JavaScript object, which contains the plugin's internal `api_key` and a valid `nonce`.\n2. API Authentication Bypass: The attacker uses the extracted `api_key` to authenticate against internal plugin API endpoints (e.g., via the `index.php?xagio_api=...` handler) that manage sensitive data such as site registration or plugin settings.\n3. Privilege Elevation: By sending crafted requests to these endpoints, the attacker can manipulate WordPress options (such as `users_can_register` or `default_role`) or trigger user-creation actions that do not properly verify administrative capabilities.\n4. Administrative Access: Once the settings are manipulated or a new administrative user is injected, the attacker gains full control over the WordPress environment.","gemini-3-flash-preview","2026-04-18 04:06:34","2026-04-18 04:07:22",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","7.1.0.30","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fxagio-seo\u002Ftags\u002F7.1.0.30","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxagio-seo.7.1.0.30.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fxagio-seo\u002Ftags\u002F7.1.0.31","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxagio-seo.7.1.0.31.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fxagio-seo\u002Ftags"]