Impact
The vulnerability is a missing authorization check in Yoast SEO Premium, allowing attackers to bypass normal access restrictions. This weakness falls under CWE-862, which can result in unauthorized manipulation of plugin settings and potential exposure of sensitive website content. Only alterations to plugin configuration are possible, but the lack of proper control may provide attackers with a foothold to further compromise the site.
Affected Systems
Yoast BV’s Yoast SEO Premium plugin, versions up to and including 26.6, is affected. Any WordPress installation using these versions is vulnerable.
Risk and Exploitability
The CVSS score of 5.5 indicates a medium severity flaw, and the EPSS score of less than 1% suggests a low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. Because the weakness is a broken access control vector, an attacker who can contact the plugin’s administrative endpoints—likely through a web request—could exploit the vulnerability, with the likely requirement of user authentication or compromised credentials. The precise attack vector is inferred from the description, as explicit details are not given.
OpenCVE Enrichment