Description
The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-12
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP SEO Structured Data Schema plugin is vulnerable to stored Cross‑Site Scripting because the _kcseo_ative_tab parameter is not properly sanitised or escaped. An authenticated user with Contributor or higher privileges can post malicious script code that will be stored and executed whenever anyone views the affected page, compromising confidentiality, integrity, and potentially enabling a full attacker takeover. This is a typical input validation weakness identified as CWE‑79.

Affected Systems

The vulnerability affects the WP SEO Structured Data Schema plugin distributed by kcseopro as published in WordPress, in all versions up to and including 2.8.1. Any WordPress site that has the plugin installed and allows contributors or higher roles to edit its settings is at risk.

Risk and Exploitability

The CVSS score of 4.9 indicates a medium risk level. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog, implying no publicly known exploits yet. The attack requires a valid contributor‑level account; an attacker could legitimately obtain such credentials or compromise an existing account. Once the malicious script is stored, any user visiting the affected page would execute it, making this a serious threat for sites that rely on the plugin.

Generated by OpenCVE AI on May 12, 2026 at 10:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 2.8.1, where the input sanitization fix has been applied.
  • Restrict the Contributor role to trusted users or remove Contributor capability on the site to limit the number of accounts that can inject scripts.
  • If an upgrade is not immediately feasible, disable or uninstall the plugin from public pages and delete any stored scripts from the database.

Generated by OpenCVE AI on May 12, 2026 at 10:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP SEO Structured Data Schema <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_kcseo_ative_tab' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-12T12:45:06.844Z

Reserved: 2026-03-05T15:22:24.895Z

Link: CVE-2026-3604

cve-icon Vulnrichment

Updated: 2026-05-12T12:44:59.881Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T09:16:40.810

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-3604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T10:30:13Z

Weaknesses