CVE-2026-1293 in Yoast SEO Plugin
Summary
by MITRE • 02/06/2026
The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/06/2026
The vulnerability identified as CVE-2026-1293 affects the Yoast SEO plugin for WordPress, specifically targeting versions up to and including 26.8. This security flaw resides within the plugin's handling of the yoast-schema block attribute, creating a stored cross-site scripting vulnerability that can be exploited by authenticated attackers. The issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, allowing malicious actors with contributor-level privileges or higher to persist malicious scripts within the WordPress environment.
The technical exploitation of this vulnerability occurs through the manipulation of the yoast-schema block attribute, which is part of the plugin's advanced SEO functionality. When an authenticated attacker with contributor permissions or above submits malicious content containing script tags within this attribute, the vulnerability allows the script to be stored in the database rather than being properly sanitized. This stored script then executes whenever any user accesses a page containing the malicious content, making it a persistent threat that can affect multiple users over time.
The operational impact of this vulnerability extends beyond simple script execution, as it represents a significant security risk for WordPress installations relying on the Yoast SEO plugin. Attackers can leverage this vulnerability to perform various malicious activities including credential theft, session hijacking, data exfiltration, and redirection to malicious websites. The stored nature of the XSS attack means that the malicious code remains active until manually removed from the database, potentially affecting all users who view affected pages, regardless of their permission levels.
From a cybersecurity perspective, this vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and demonstrates characteristics consistent with ATT&CK technique T1566.001 for initial access through spearphishing attachments or links. The fact that this vulnerability requires only contributor-level access makes it particularly concerning as it can be exploited by users who typically have limited administrative privileges within WordPress environments. Organizations should prioritize immediate patching of this vulnerability as it represents a critical threat to web application security and user data protection. The vulnerability also highlights the importance of proper input validation and output escaping practices in web applications, particularly in content management systems where user-generated content is processed and stored.
Mitigation strategies should include immediate patching to version 26.9 or later, which addresses the input sanitization and output escaping issues. Administrators should also implement additional monitoring for suspicious content modifications, particularly around SEO-related blocks and schema attributes. Security hardening measures such as role-based access control restrictions and content review processes can provide additional defense-in-depth layers. Regular security audits of WordPress plugins and themes remain essential to identify similar vulnerabilities before they can be exploited in production environments.