CVE-2026-40722
Deferred Deferred - Pending Action
Missing Authorization in Yoast SEO Premium

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yoast SEO Premium: from n/a through 26.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-40722
EUVD
EUVD-2026-37579
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yoast yoast_seo_premium to 26.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40722 is a Missing Authorization vulnerability in the Yoast SEO Premium WordPress plugin, affecting versions up to 26.6. It is a Broken Access Control issue caused by missing authorization, authentication, or nonce token checks. This flaw allows unprivileged users to perform actions that should require higher privileges.

Impact Analysis

This vulnerability can allow attackers to perform unauthorized actions on websites using the affected Yoast SEO Premium plugin. Although it is considered a low-severity issue with a CVSS score of 5.5, exploitation could lead to integrity and availability impacts on the affected site. Attackers might use this vulnerability in mass campaigns targeting many websites.

Detection Guidance

This vulnerability arises from missing authorization, authentication, or nonce token checks in the Yoast SEO Premium plugin versions 26.6 and earlier.

Detection typically involves verifying the plugin version installed on your WordPress site and checking for unauthorized access attempts or privilege escalations related to the plugin.

You can detect the vulnerable plugin version by running commands to check the installed plugin version, for example:

  • Using WP-CLI: wp plugin list | grep wordpress-seo-premium
  • Manually checking the plugin version in the WordPress admin dashboard under Plugins.

Additionally, monitoring web server logs for suspicious requests attempting to perform privileged actions without proper authorization may help detect exploitation attempts.

Mitigation Strategies

The immediate recommended step to mitigate this vulnerability is to update the Yoast SEO Premium plugin to version 26.7 or later, where the issue has been patched.

If you are a Patchstack user, enabling auto-updates for vulnerable plugins can help ensure timely patching.

Until the update is applied, restrict access to the WordPress admin area and monitor for any suspicious activity related to the plugin.

Compliance Impact

The provided information does not specify how the missing authorization vulnerability in Yoast SEO Premium directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart