CVE-2025-14438
Server-Side Request Forgery in Xagio SEO WordPress Plugin
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xagio | xagio-seo | to 7.1.0.30 (inc) |
| xagio | xagio-seo | 7.1.0.29 |
| xagio | xagio-seo | 7.1.0.31 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Xagio SEO WordPress plugin (up to version 7.1.0.30) is a Server-Side Request Forgery (SSRF) issue in the 'pixabayDownloadImage' function. Authenticated users with Subscriber-level access or higher can exploit this flaw to make the web application send requests to arbitrary locations. This means an attacker can potentially query or modify information from internal services by tricking the plugin into fetching data from unintended URLs. The vulnerability arises because the plugin allows these requests without sufficient validation or restriction on the target URLs. [2]
How can this vulnerability impact me? :
This SSRF vulnerability can allow an attacker with low-level authenticated access (Subscriber or above) to make the server send requests to internal or external systems that the attacker normally cannot access. This can lead to unauthorized information disclosure, such as accessing internal services or sensitive data, and potentially modifying internal information. It may also be used as a stepping stone for further attacks within the internal network or to bypass network restrictions. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the vulnerable version of the xagio-seo WordPress plugin (up to 7.1.0.30) is installed and if the 'pixabayDownloadImage' function is being exploited. You can check the plugin version on your WordPress site by running the following WP-CLI command: `wp plugin list --status=active | grep xagio-seo`. Additionally, monitoring for unusual authenticated POST requests to the AJAX handler that triggers 'pixabayDownloadImage' could indicate exploitation attempts. For example, you can use web server logs or tools like `grep` to search for POST requests containing 'action=pixabayDownloadImage'. Example command to search Apache logs: `grep 'POST.*action=pixabayDownloadImage' /var/log/apache2/access.log`. Also, monitoring for authenticated users with Subscriber-level access making such requests may help detect exploitation. Since the vulnerability requires authenticated access, reviewing user activity logs for suspicious behavior related to image downloads from Pixabay can be useful. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the xagio-seo WordPress plugin to version 7.1.0.31 or later, as this version addresses the vulnerability. If an immediate update is not possible, restrict Subscriber-level and other low-privilege users from accessing the functionality that triggers the 'pixabayDownloadImage' function. Additionally, you can disable or restrict AJAX requests related to this function by implementing firewall rules or security plugins that block suspicious requests. Monitoring and limiting authenticated user capabilities to only those necessary can also reduce risk. Finally, review and harden user permissions and consider temporarily disabling the plugin if exploitation is suspected. [4]