Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-June-25
Vulnerability:
Cross-site Scripting
Affected versions:
< 4.2.2
CVE IDs:
CVE-2025-6676
Description:
Simple XML sitemap is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines.
The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting (XSS) attack vector.
This vulnerability is mitigated by the fact that an attacker must have the administrative permission 'administer sitemap settings'.
Solution:
This vulnerability requires 2 steps:
- If you use simple_sitemap upgrade to at least 4.2.2 or a later, supported version.
- For all versions, ensure your permissions are assigned to appropriate roles and users with "administer sitemap settings" permission are trusted.
Reported By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Michael Hess (mlhess) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
