CVE-2025-14941
Unknown Unknown - Not Provided
Authorization Bypass in GZSEO Plugin Enables Stored XSS

Publication date: 2026-01-24

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14941
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gzseo gzseo to 2.0.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the GZSEO WordPress plugin up to version 2.0.11 is an authorization bypass that leads to Stored Cross-Site Scripting (XSS). This happens because the plugin lacks proper capability checks on multiple AJAX handlers and does not sufficiently sanitize or escape the 'embed_code' parameter. As a result, authenticated users with contributor-level access or higher can inject arbitrary content into any post. This injected content executes whenever a user views the affected post, potentially compromising site security.

Impact Analysis

This vulnerability can allow authenticated attackers with contributor or higher access to inject malicious scripts into posts on the website. These scripts execute in the browsers of users who view the infected posts, potentially leading to theft of user credentials, session hijacking, defacement, or distribution of malware. It compromises the integrity and security of the website and its users.

Mitigation Strategies

To mitigate this vulnerability, immediately update the GZSEO WordPress plugin to a version later than 2.0.11 where the authorization bypass and stored XSS issues are fixed. Additionally, restrict contributor-level access if possible until the update is applied, and review any posts for suspicious embedded content that could exploit the vulnerability.

Detection Guidance

This vulnerability can be detected by checking for unauthorized or suspicious AJAX requests to the GZSEO plugin's video update handlers, especially those involving the embed_code parameter. Since the vulnerability involves missing capability checks on AJAX handlers and stored XSS via embed_code, monitoring POST requests to AJAX endpoints related to GZSEO (e.g., admin-ajax.php with actions related to video updates) for unusual or unauthorized input can help detect exploitation attempts. Specific commands to detect this might include using network monitoring tools or command-line utilities like curl to simulate AJAX requests and check responses, or grep to search WordPress logs for suspicious embed_code parameters. For example, you can use the following command to search web server logs for suspicious embed_code usage: `grep -i 'embed_code' /var/log/apache2/access.log` or monitor AJAX requests with: `tail -f /var/log/apache2/access.log | grep admin-ajax.php`. However, no explicit detection commands are provided in the resources. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart