Description
Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.
Published: 2026-06-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in Yoast Duplicate Post plugin through version 4.6. An attacker can create a scheduled republish job with a specially crafted post title. When an administrator views the editor’s republish notice, the title is inserted into the page without escaping, allowing arbitrary JavaScript to run in the admin browser context. This can lead to theft of administrative cookies, session hijacking, malicious script injection, or defacement. The weakness is a classic example of CWE‑79.

Affected Systems

WordPress sites running Yoast Duplicate Post plugin version 4.6 or earlier are affected. The plugin is available under the Duplicate Post Project and used by any WordPress installation that has scheduled republish enabled. Users relying on the Classic Editor in WordPress will be exposed if they have scheduled republish notices.

Risk and Exploitability

The CVSS score of 5.1 labels the issue as moderate severity. Because the vulnerability requires the ability to schedule a republish—which is limited to users with administrative or privileged capabilities—the attack surface is restricted to site administrators. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting an absence of known widespread exploitation. Nevertheless, the potential for XSS in the admin interface justifies timely remediation.

Generated by OpenCVE AI on June 10, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Yoast Duplicate Post to the latest version (4.7 or newer) which removes the unsanitized title rendering.
  • If an upgrade cannot be performed immediately, deactivate the Duplicate Post plugin or disable scheduled republish features until the plugin is patched.
  • Ensure the WordPress installation and all plugins are kept up to date, and review the permissions of users able to schedule republish jobs to limit exposure.

Generated by OpenCVE AI on June 10, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.
Title Yoast Duplicate Post through 4.6 Stored Cross-Site Scripting via Scheduled Republish Notice
First Time appeared Duplicate Post Project
Duplicate Post Project duplicate Post
Weaknesses CWE-79
CPEs cpe:2.3:a:duplicate_post_project:duplicate_post:*:*:*:*:*:wordpress:*:*
Vendors & Products Duplicate Post Project
Duplicate Post Project duplicate Post
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Duplicate Post Project Duplicate Post
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T20:39:44.745Z

Reserved: 2026-06-10T17:16:10.427Z

Link: CVE-2026-53740

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:17:02.367

Modified: 2026-06-10T22:17:02.367

Link: CVE-2026-53740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')