Description
Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Yoast SEO Premium: from n/a through 26.6.
Published: 2026-06-17
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check in Yoast SEO Premium, allowing attackers to bypass normal access restrictions. This weakness falls under CWE-862, which can result in unauthorized manipulation of plugin settings and potential exposure of sensitive website content. Only alterations to plugin configuration are possible, but the lack of proper control may provide attackers with a foothold to further compromise the site.

Affected Systems

Yoast BV’s Yoast SEO Premium plugin, versions up to and including 26.6, is affected. Any WordPress installation using these versions is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity flaw, and the EPSS score of less than 1% suggests a low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. Because the weakness is a broken access control vector, an attacker who can contact the plugin’s administrative endpoints—likely through a web request—could exploit the vulnerability, with the likely requirement of user authentication or compromised credentials. The precise attack vector is inferred from the description, as explicit details are not given.

Generated by OpenCVE AI on June 18, 2026 at 12:36 UTC.

Remediation

Vendor Solution

Update the WordPress Yoast SEO Premium Plugin to the latest available version (at least 26.7).


OpenCVE Recommended Actions

  • Upgrade the Yoast SEO Premium plugin to version 26.7 or later.
  • Verify that only administrator roles can access Yoast settings and adjust user role permissions accordingly.
  • If an upgrade cannot be performed immediately, temporarily disable the plugin to eliminate the exposed control path.

Generated by OpenCVE AI on June 18, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yoast Bv
Yoast Bv yoast Seo Premium
Vendors & Products Wordpress
Wordpress wordpress
Yoast Bv
Yoast Bv yoast Seo Premium

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yoast SEO Premium: from n/a through 26.6.
Title WordPress Yoast SEO Premium plugin <= 26.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L'}


Subscriptions

Wordpress Wordpress
Yoast Bv Yoast Seo Premium
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:35:26.509Z

Reserved: 2026-04-15T09:19:20.452Z

Link: CVE-2026-40722

cve-icon Vulnrichment

Updated: 2026-06-17T10:35:21.540Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:06Z

Weaknesses