Description
The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Stored Cross-Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability occurs when user-supplied data is inserted into the yoast-schema block attribute without adequate sanitization or escaping, allowing an attacker to embed malicious JavaScript. The injected payload is persisted in the database and is executed on every page view, giving the attacker a persistent foothold. This yields confidentiality and integrity compromise for any user who visits the compromised page, as well as potential defacement or phishing attacks. The weakness is categorized as CWE‑79, a classic reflected XSS that becomes stored.

Affected Systems

The affected product is Yoast SEO – Advanced SEO with real-time guidance and built-in AI for WordPress. All releases up to and including version 26.8 are vulnerable. Systems running WordPress with an active Yoast SEO installation and contributor or higher level access are at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% suggests the likelihood of exploitation is low. It is not listed in the CISA KEV catalog, so no known active exploits have been recorded. The attack vector requires the attacker to be authenticated with Contributor‑level privileges or higher and to edit or insert a page using the yoast-schema block. Once the payload is stored, any visitor to the affected page will execute the injected script, making the compromise highly actionable for the attacker.

Generated by OpenCVE AI on April 15, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Yoast SEO to version 26.9 or later, which removes the vulnerable block attribute handling.
  • Limit the use of Contributor or higher roles to trusted users or revoke such access when not needed to prevent unauthorized script injection.
  • Implement a site‑wide script filter or CSP that disallows inline scripts from unknown sources to mitigate the impact of any leftover malicious code.

Generated by OpenCVE AI on April 15, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yoast
Yoast yoast Seo
Vendors & Products Wordpress
Wordpress wordpress
Yoast
Yoast yoast Seo

Fri, 06 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Yoast SEO <= 26.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'yoast-schema' Block Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Yoast Yoast Seo
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:48.147Z

Reserved: 2026-01-21T16:53:09.134Z

Link: CVE-2026-1293

cve-icon Vulnrichment

Updated: 2026-02-06T12:27:22.998Z

cve-icon NVD

Status : Deferred

Published: 2026-02-06T12:16:25.133

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:45:11Z

Weaknesses