Description
Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.
Published: 2026-07-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a contributor‑based cross‑site scripting flaw that allows malicious content to be injected through the Surbma Yoast SEO Breadcrumb Shortcode plugin. The plugin fails to properly escape or validate input supplied via its shortcode, enabling an attacker to embed arbitrary JavaScript. If executed in a visitor's browser, the attacker can steal session cookies, deface pages, or redirect users, compromising confidentiality and integrity.

Affected Systems

The weakness exists in any installation of the Surbma Yoast SEO Breadcrumb Shortcode WordPress plugin version 1.2 or earlier. Administrators who have deployed these versions on their sites are susceptible.

Risk and Exploitability

With a CVSS score of 6.5 the flaw is a medium‑severity risk. The EPSS score is not available, and it is not listed in the CISA KEV catalog, indicating no known widespread exploits at this time. The attack vector is likely remote: an attacker injects the malicious payload through the shortcode, which is rendered when other users view the page. Therefore, any user who can edit content with the plugin or anyone who visits a page containing the shortcode is at risk.

Generated by OpenCVE AI on July 2, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Surbma Yoast SEO Breadcrumb Shortcode to the latest version that contains the XSS fix.
  • If the plugin is no longer required, disable or uninstall it to eliminate the attack surface.
  • Implement a content‑security policy that restricts inline scripts and helps mitigate any residual XSS risk.

Generated by OpenCVE AI on July 2, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.
Title WordPress Surbma | Yoast SEO Breadcrumb Shortcode plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T13:58:17.905Z

Reserved: 2026-06-25T08:04:41.580Z

Link: CVE-2026-57764

cve-icon Vulnrichment

Updated: 2026-07-02T13:58:14.592Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T17:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')