CVE-2026-4142
Stored XSS in Sentence To SEO WordPress Plugin Allows Admin Script Injection
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | the_sentence_to_seo | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Sentence To SEO plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'Permanent keywords' field in all versions up to and including 1.0.
This vulnerability exists because the plugin does not properly sanitize or escape user input. It reads input using filter_input_array(INPUT_POST) without HTML sanitization, stores it unsanitized in the WordPress options table, and outputs it directly into a textarea element without escaping.
An attacker with administrator-level access can inject malicious HTML or JavaScript by breaking out of the textarea element using a closing </textarea> tag, causing the injected script to execute whenever a user accesses the plugin's settings page.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking the 'Permanent keywords' field in the Sentence To SEO plugin settings for stored malicious scripts. Since the vulnerability allows stored Cross-Site Scripting (XSS) via unsanitized input, one approach is to inspect the WordPress options table for suspicious entries related to this plugin.
You can query the WordPress database to look for potentially malicious content in the options table. For example, using a MySQL command:
- SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%sentence_to_seo%' AND option_value LIKE '%<script>%';
Additionally, monitoring HTTP requests to the plugin's settings page for unusual POST data containing HTML or JavaScript tags may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the plugin's settings page to only trusted administrators, as exploitation requires administrator-level access.
You should also update the Sentence To SEO plugin to a version that patches this vulnerability once available.
As a temporary workaround, consider sanitizing or removing the contents of the 'Permanent keywords' field in the WordPress options table to remove any injected scripts.
Implementing Web Application Firewall (WAF) rules to block suspicious POST requests containing HTML or JavaScript tags targeting this plugin's settings page can also help mitigate exploitation.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with administrator-level privileges to inject arbitrary web scripts into the plugin's settings page.
The injected scripts can execute in the context of users visiting the settings page, potentially leading to unauthorized actions, data theft, or further compromise of the WordPress site.
Because the vulnerability requires high privileges to exploit, the risk is somewhat limited to trusted users who have admin access, but it still poses a significant security risk.