{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24968", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:41.578Z", "datePublished": "2026-03-25T16:14:33.279Z", "dateUpdated": "2026-03-25T16:14:33.279Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "xagio-seo", "product": "Xagio SEO", "vendor": "Xagio SEO", "versions": [{"changes": [{"at": "7.1.0.31", "status": "unaffected"}], "lessThanOrEqual": "<= 7.1.0.30", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:14.307Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo allows Privilege Escalation.<p>This issue affects Xagio SEO: from n/a through <= 7.1.0.30.</p>"}], "value": "Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo allows Privilege Escalation.This issue affects Xagio SEO: from n/a through <= 7.1.0.30."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "Privilege Escalation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:33.279Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-30-privilege-escalation-vulnerability?_s_id=cve"}], "title": "WordPress Xagio SEO plugin <= 7.1.0.30 - Privilege Escalation vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo allows Privilege Escalation.This issue affects Xagio SEO: from n/a through <= 7.1.0.30."}], "id": "CVE-2026-24968", "lastModified": "2026-03-25T17:16:38.663", "metrics": {}, "published": "2026-03-25T17:16:38.663", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/xagio-seo/vulnerability/wordpress-xagio-seo-plugin-7-1-0-30-privilege-escalation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:03:47.368779+00:00", "value": {"mitigation_remediation": ["Upgrade Xagio SEO to the latest version (any release newer than 7.1.0.30).", "If an upgrade is delayed, remove or disable the Xagio SEO plugin from the active site.", "Restrict user roles to the minimum necessary privileges, particularly for accounts that can interact with the plugin."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is the Xagio SEO plugin for WordPress, with all releases up through version 7.1.0.30. Any WordPress installation that retains a vulnerable version of this plugin is at risk, regardless of the underlying operating system or core WordPress version.", "description_and_impact": "The vulnerability arises from incorrect privilege assignment within the Xagio SEO WordPress plugin, allowing an attacker to obtain higher privileges than intended. Exploiting this flaw enables unauthorized modification of content, alteration of site settings, or installation of additional malicious code, thereby compromising the integrity and confidentiality of the website. The weakness is classified as CWE\u2011266 \u2013 Broken or Ineffective Permissions Management.", "risk_and_exploitability": "The risk is significant because privilege escalation can grant an attacker full administrative control over the site. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but the potential impact remains high. The likely attack vector involves an attacker interacting with the plugin through normal site usage or via a compromised user account that has sufficient initial permissions to trigger the vulnerable functionality."}}}}, "created": "2026-03-25T21:34:41.076212+00:00", "updated": "2026-03-25T21:34:41.076292+00:00", "vendors": []}