CVE-2026-4142
Received Received - Intake
Stored XSS in Sentence To SEO WordPress Plugin Allows Admin Script Injection

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: Wordfence

Description
The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (<?= ?>). An attacker can break out of the textarea element using a closing </textarea> tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4142
EUVD
EUVD-2026-24684
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence the_sentence_to_seo to 1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Sentence To SEO plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in the 'Permanent keywords' field in all versions up to and including 1.0.

This vulnerability exists because the plugin does not properly sanitize or escape user input. It reads input using filter_input_array(INPUT_POST) without HTML sanitization, stores it unsanitized in the WordPress options table, and outputs it directly into a textarea element without escaping.

An attacker with administrator-level access can inject malicious HTML or JavaScript by breaking out of the textarea element using a closing </textarea> tag, causing the injected script to execute whenever a user accesses the plugin's settings page.

Impact Analysis

This vulnerability allows an authenticated attacker with administrator-level privileges to inject arbitrary web scripts into the plugin's settings page.

The injected scripts can execute in the context of users visiting the settings page, potentially leading to unauthorized actions, data theft, or further compromise of the WordPress site.

Because the vulnerability requires high privileges to exploit, the risk is somewhat limited to trusted users who have admin access, but it still poses a significant security risk.

Detection Guidance

Detection of this vulnerability involves checking the 'Permanent keywords' field in the Sentence To SEO plugin settings for stored malicious scripts. Since the vulnerability allows stored Cross-Site Scripting (XSS) via unsanitized input, one approach is to inspect the WordPress options table for suspicious entries related to this plugin.

You can query the WordPress database to look for potentially malicious content in the options table. For example, using a MySQL command:

  • SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%sentence_to_seo%' AND option_value LIKE '%<script>%';

Additionally, monitoring HTTP requests to the plugin's settings page for unusual POST data containing HTML or JavaScript tags may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the plugin's settings page to only trusted administrators, as exploitation requires administrator-level access.

You should also update the Sentence To SEO plugin to a version that patches this vulnerability once available.

As a temporary workaround, consider sanitizing or removing the contents of the 'Permanent keywords' field in the WordPress options table to remove any injected scripts.

Implementing Web Application Firewall (WAF) rules to block suspicious POST requests containing HTML or JavaScript tags targeting this plugin's settings page can also help mitigate exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4142. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart