CVE-2026-53740
Deferred Deferred - Pending Action

Yoast Duplicate Post Classic Editor XSS via Unescaped Title

Vulnerability report for CVE-2026-53740, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description

Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yoast duplicate_post to 4.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Yoast Duplicate Post through version 4.6. It occurs because the plugin inserts an unescaped post title and permalink into the Classic Editor's scheduled republish notice. An attacker can exploit this by scheduling a republish copy with a specially crafted title that includes malicious script. When an administrator views the resulting notice, the script executes.

Impact Analysis

The vulnerability allows attackers to execute arbitrary scripts in the context of an administrator's browser when they view the scheduled republish notice. This can lead to potential unauthorized actions, data theft, or compromise of administrative functions within the affected system.

Compliance Impact

The provided information does not specify how CVE-2026-53740 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability is a stored Cross-Site Scripting (XSS) issue in the Yoast Duplicate Post plugin up to version 4.6, triggered when an attacker schedules a republish copy with a crafted post title that executes scripts in the Classic Editor's scheduled republish notice.

Detection involves checking if your WordPress installation uses the Yoast Duplicate Post plugin version 4.6 or earlier and if any scheduled republish posts contain suspicious or unusual titles that might include script tags or other malicious payloads.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.

Mitigation Strategies

Immediate mitigation steps include updating the Yoast Duplicate Post plugin to a version later than 4.6 where this vulnerability is fixed.

If an update is not immediately possible, avoid scheduling republish copies with untrusted or user-supplied post titles, and restrict administrative users from viewing scheduled republish notices until the issue is resolved.

Additionally, consider implementing input sanitization or filtering on post titles to prevent script injection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart