CVE-2026-3427
Stored XSS in Yoast SEO Plugin via jsonText Attribute
Publication date: 2026-03-22
Last updated on: 2026-03-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yoast | wordpress_seo | to 27.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'The vulnerability in the Yoast SEO WordPress plugin (up to version 27.1.1) is a Stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping of the `jsonText` block attribute in HowTo content blocks.'}, {'type': 'paragraph', 'content': 'This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising site security.'}, {'type': 'paragraph', 'content': "Specifically, the vulnerability arises because HTML script tags could be injected into duration and step description fields within the HowTo block's structured data output, which was not properly sanitized before being embedded as JSON-LD."}, {'type': 'paragraph', 'content': 'A fix was implemented that sanitizes these inputs by removing disallowed HTML tags such as <script>, allowing only safe tags like <strong>, <em>, and <a>, thus preventing XSS attacks and ensuring compliance with JSON-LD standards.'}] [3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing attackers with Contributor-level access or higher to inject malicious scripts into your website's pages."}, {'type': 'paragraph', 'content': 'When other users visit these compromised pages, the injected scripts can execute in their browsers, potentially leading to theft of sensitive information, session hijacking, defacement, or further exploitation of the site.'}, {'type': 'paragraph', 'content': 'Because the vulnerability is a Stored XSS, the malicious code persists on the site and affects all visitors to the infected pages, increasing the risk and potential damage.'}] [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves Stored Cross-Site Scripting (XSS) via the `jsonText` block attribute in the Yoast SEO plugin's HowTo blocks. Detection involves identifying posts or pages containing malicious script injections in the HowTo block's JSON-LD structured data, especially in the duration or step description fields."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires Contributor-level or higher authenticated access to inject scripts, detection on the network level could include monitoring HTTP responses for suspicious script tags within JSON-LD data embedded in pages generated by the Yoast SEO plugin.'}, {'type': 'paragraph', 'content': 'Suggested commands or methods to detect the vulnerability include:'}, {'type': 'list_item', 'content': 'Use curl or wget to fetch pages suspected of containing HowTo blocks and inspect the JSON-LD output for script tags or suspicious HTML in the duration or step description fields.'}, {'type': 'list_item', 'content': 'Example command to fetch and search for script tags in JSON-LD data:'}, {'type': 'list_item', 'content': 'curl -s https://example.com/page-with-howto-block | grep -oP \'("duration"|"stepDescription").*?<script>\''}, {'type': 'list_item', 'content': 'Search the WordPress database for posts containing the HowTo block with suspicious script tags in the `jsonText` attribute, for example using SQL queries:'}, {'type': 'list_item', 'content': "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%yoast/how-to-block%' AND post_content LIKE '%<script>%';"}, {'type': 'paragraph', 'content': 'Additionally, monitoring user activity logs for Contributor-level users adding or editing posts with HowTo blocks may help identify potential exploit attempts.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Yoast SEO plugin to version 27.2 or later, where the vulnerability has been fixed by properly sanitizing and escaping the duration and step description fields in the HowTo block.
This update removes disallowed HTML tags such as <script> from user input in these fields, preventing stored cross-site scripting attacks.
If updating immediately is not possible, consider the following temporary mitigations:
- Restrict Contributor-level and higher user permissions to trusted users only, to reduce the risk of malicious script injection.
- Manually audit and sanitize existing posts containing HowTo blocks, removing any suspicious or unexpected HTML tags in the duration and step description fields.
- Implement Web Application Firewall (WAF) rules to detect and block attempts to inject script tags in post content or JSON-LD data.
After applying the update or mitigations, verify that no script alerts or malicious scripts execute when accessing pages with HowTo blocks.