CVE-2024-13807 HIGH

CVE-2024-13807: Xagio SEO <= 7.1.0.5 - Unauthenticated Sensitive Information Exposure via Unprotected Back-Up Files

Vendor Xagio

Product Xagio SEO – AI Powered SEO

Weakness CWE-200 · Info exposure

Published August 28, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Xagio SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.1.0.5 via the backup functionality due to weak filename structure and lack of protection in the directory. This makes it possible for unauthenticated attackers to extract sensitive data from backups which can include the entire database and site's files.

Key dates

02Disclosure timeline

August 28, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-13807 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

04Related CVE

CVE-2024-3682 WP STAGING <= 3.4.3 and WP STAGING Pro <= 5.4.3 - Sensitive Information Exposure via Log File CVE-2025-59184 Storage Spaces Direct Information Disclosure Vulnerability CVE-2026-25135 OpenEMR's location resource for Group.$export operation returns entire patient/user population contact information CVE-2025-24363 The HL7 FHIR IG publisher may potentially expose GitHub repo user and credential information CVE-2023-40662 WordPress Cookies and Content Security Policy Plugin <= 2.15 is vulnerable to Sensitive Data Exposure