ByteOS Network

GZSEO

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-25437

Assigner-Patchstack

View Details

Assigner-Patchstack

CVSS Score-6.5||MEDIUM

EPSS-0.05% / 15.24%

7 Day CHG~0.00%

Published-25 Mar, 2026 | 16:14

Updated-30 Mar, 2026 | 13:27

WordPress GZSEO plugin <= 2.0.14 - Broken Access Control vulnerability

Missing Authorization vulnerability in سید محمدامین هاشمی GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14.

Vendor-سید محمدامین هاشمی

Product-GZSEO

CWE ID-CWE-862

Missing Authorization

CVE-2025-14941

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-6.4||MEDIUM

EPSS-0.01% / 2.62%

7 Day CHG~0.00%

Published-24 Jan, 2026 | 07:26

Updated-08 Apr, 2026 | 19:23

GZSEO <= 2.0.11 - Authenticated (Contributor+) Authorization Bypass to Stored Cross-Site Scripting

The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page.

Vendor-aminhashemy

Product-GZSEO

CWE ID-CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')