CVE-2025-14941

Name of the Vulnerable Software and Affected Versions WordPress GZSEO plugin versions up to and including 2.0.11

Description The GZSEO plugin for WordPress has a flaw that allows unauthorized access, leading to Stored Cross-Site Scripting. This is caused by missing capability checks on multiple AJAX handlers and inadequate input sanitization and output escaping of the embed code parameter. An attacker with contributor-level access or higher can inject malicious content into any post, which will execute when a user views the affected page.

Recommendations Update the GZSEO plugin to a version newer than 2.0.11.