WordPress Plugin Vulnerabilities

Yoast SEO < 26.9 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
wordpress-seo
Fixed in 26.9

References

CVE
CVE-2026-1293
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2e7c2d-ed2f-439b-9cee-f2e5d46121b6

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
dragonzenai
Verified
No
WPVDB ID
7bb1f28e-c610-414e-b84c-9199b375f8c1

Timeline

Publicly Published
2026-02-05 (about 3 months ago)
Added
2026-02-05 (about 2 months ago)
Last Updated
2026-02-05 (about 2 months ago)

Other

Published
Title
Published
2025-07-23
Title
Post Grid Master < 3.4.14 - Reflected Cross-Site Scripting via argsArray['read_more_text']
Published
2023-06-13
Title
Login Configurator <= 2.1 - Admin+ Stored Cross-Site Scripting
Published
2022-12-17
Title
Bg Bible References <= 3.8.14 - Reflected XSS
Published
2023-01-11
Title
Naver Map <= 1.1.0 - Contributor+ Stored XSS
Published
2026-02-24
Title
Metro <= 2.13 - Reflected Cross-Site Scripting