Description
The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `jsonText` block attribute in all versions up to, and including, 27.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) via the ‘jsonText’ block attribute
Action: Patch Update
AI Analysis

Impact

The Yoast SEO WordPress plugin allows authenticated users with Contributor or higher privileges to modify content that contains a ‘jsonText’ block attribute. Because input validation and output escaping are insufficient, this flaw permits the injection of arbitrary JavaScript code. An attacker who can gain or exploit such a role can embed malicious script that will run whenever a user views the affected page or post, leading to defacement, cookie theft, or redirection to malicious sites.

Affected Systems

WordPress sites that have the Yoast SEO – Advanced SEO with real‑time guidance and built‑in AI plugin installed in any released version equal to or older than 27.1.1. This includes all users of that plugin who hold Contributor level access or higher.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity vulnerability. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. Exploitation requires valid authentication to WordPress; an attacker must obtain Contributor or higher role. Once logged in, the attacker can create or modify a block containing the ‘jsonText’ attribute to inject script, which will execute with the browser context of any user who visits the page. While the vulnerability does not grant arbitrary code execution on the server, it can compromise confidentiality and integrity of the affected site and its users.

Generated by OpenCVE AI on March 22, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Yoast SEO plugin to the latest version (at least 27.1.2) to eliminate the stored XSS flaw.
  • Verify that the plugin reports the upgraded version; if unknown, check the plugin’s readme or changelog for the security fix.
  • If an immediate upgrade is not possible, review and limit Contributor role capabilities to remove permission for editing blocks or content that can contain the vulnerable attribute.
  • Monitor the site for any attempted script injection patterns and consider applying a web application firewall rule that blocks suspicious script payloads in block content.

Generated by OpenCVE AI on March 22, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yoast
Yoast yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai
Vendors & Products Wordpress
Wordpress wordpress
Yoast
Yoast yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai

Sun, 22 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
Description The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `jsonText` block attribute in all versions up to, and including, 27.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Yoast SEO <= 27.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'jsonText' Block Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Yoast Yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:35:14.548Z

Reserved: 2026-03-02T06:32:06.224Z

Link: CVE-2026-3427

cve-icon Vulnrichment

Updated: 2026-03-23T15:07:20.637Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-22T04:16:24.197

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-3427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:42Z

Weaknesses