vulnerability

WordPress Plugin: all-in-one-seo-pack: CVE-2019-16520: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
3	(AV:N/AC:M/Au:S/C:N/I:P/A:N)	Oct 16, 2019	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:M/Au:S/C:N/I:P/A:N)

Published

Oct 16, 2019

Added

May 15, 2025

Modified

May 15, 2025

Description

The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack) is susceptible to Stored XSS due to improper encoding of the SEO-specific description for posts provided by the plugin via unsafe placeholder replacement.

Solution

all-in-one-seo-pack-plugin-cve-2019-16520

References

URL-https://www.cve.org/CVERecord?id=CVE-2019-16520
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/02cf711b-69af-4869-9ebd-31c657be1bc3?source=api-prod
CVE-2019-16520
https://attackerkb.com/topics/CVE-2019-16520

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today