CVE-2026-1293
Stored XSS in Yoast SEO Plugin via yoast-schema Block Attribute
Publication date: 2026-02-06
Last updated on: 2026-02-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yoast | wordpress_seo | to 26.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Yoast SEO plugin for WordPress, up to and including version 26.8, has a Stored Cross-Site Scripting (XSS) vulnerability. This occurs because the plugin does not properly sanitize or escape input in the `yoast-schema` block attribute. As a result, authenticated users with Contributor-level access or higher can inject malicious scripts into pages. These scripts then execute whenever any user views the infected page.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject arbitrary JavaScript code into pages on a WordPress site using the Yoast SEO plugin. The injected scripts execute in the context of any user who visits the affected pages, potentially leading to unauthorized actions such as stealing user credentials, hijacking user sessions, defacing the site, or distributing malware.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a Stored Cross-Site Scripting (XSS) in the Yoast SEO WordPress plugin versions up to 26.8, exploitable via the `yoast-schema` block attribute by authenticated users with Contributor-level access or higher.
Detection can focus on identifying pages or posts containing malicious scripts injected into the `yoast-schema` block attribute. Since the vulnerability involves stored scripts executing when a page is accessed, scanning the content of posts and pages for suspicious script tags or unusual JavaScript within the schema blocks is recommended.
Suggested commands or methods to detect this vulnerability include:
- Use WP-CLI to search post content for suspicious script tags or unusual content in the `yoast-schema` block attribute, for example: `wp post list --post_type=page,post --field=ID | xargs -I % wp post get % --field=post_content | grep -i '<script'`
- Manually inspect or export the database content of the `wp_posts` table, focusing on the `post_content` field, to find injected scripts within schema blocks.
- Monitor HTTP responses for pages that include the `yoast-schema` block and check if any unexpected scripts are present in the page source.
- Use security scanning tools or WordPress security plugins that can detect stored XSS payloads or anomalous content in posts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this Stored Cross-Site Scripting vulnerability in the Yoast SEO plugin include:
- Update the Yoast SEO plugin to a version later than 26.8 where the vulnerability is fixed.
- Restrict Contributor-level and higher user permissions temporarily to trusted users only, as the vulnerability requires authenticated users with at least Contributor access.
- Audit and clean existing posts and pages for injected malicious scripts in the `yoast-schema` block attribute.
- Implement Web Application Firewall (WAF) rules to block suspicious payloads targeting the `yoast-schema` block attribute.
- Consider disabling or restricting the use of the `yoast-schema` block attribute until a patch is applied.