Yoast SEO Premium 25.7-25.9 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-11241 | Plugin Vulnerabilities

Description

The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. This vulnerability allows a user with Contributor access or higher to create a post containing a malicious JavaScript payload.

Affects Plugins

wordpress-seo-premium

Fixed in 26.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a6e3645d-ed1b-4c51-a463-c2691cb7168d

Classification

Type

CROSS FRAME SCRIPTING

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

dc89f5b6-2745-45dc-b718-2049859f545a

Timeline

Publicly Published

2025-10-02 (about 6 months ago)

Added

2025-10-02 (about 6 months ago)

Last Updated

2025-10-03 (about 6 months ago)

Other

Published

Title

Published

2024-01-17

Title

WP Recipe Maker < 9.1.1 - Contributor+ Stored Cross-Site Scripting via icon_color

Published

2024-03-29

Title

WordPress File Upload < 4.24.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2024-10-28

Title

SEUR Oficial < 2.2.12 - Reflected Cross-Site Scripting

Published

2025-10-24

Title

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution < 3.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2024-02-23

Title

YML for Yandex Market < 4.2.4 - Reflected Cross-Site Scripting