CVE-2026-3427 in SEO Plugin
Summary
by MITRE • 03/22/2026
The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `jsonText` block attribute in all versions up to, and including, 27.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified as CVE-2026-3427 affects the Yoast SEO plugin for WordPress, specifically targeting versions up to and including 27.1.1. This represents a critical stored cross-site scripting flaw that exploits the `jsonText` block attribute within the plugin's functionality. The vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms, creating a persistent security weakness that allows malicious code injection into WordPress pages. The affected plugin provides advanced SEO capabilities with real-time guidance and built-in AI features, making it a popular choice among WordPress users and consequently a valuable target for attackers seeking to exploit WordPress installations.
The technical implementation of this vulnerability occurs within the plugin's handling of the `jsonText` block attribute, where user-supplied input fails to undergo proper validation and sanitization before being stored in the WordPress database. When authenticated users with Contributor-level access or higher interact with the plugin's interface, they can inject malicious JavaScript code through this attribute. The stored payload executes whenever any user accesses pages containing the injected content, creating a persistent XSS attack vector that can affect multiple users over time. This flaw operates at the application layer and leverages the trust relationship between the WordPress platform and its plugins, making it particularly dangerous in multi-user environments.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and privilege escalation within the WordPress environment. Since the vulnerability requires only Contributor-level access, it can be exploited by users who have limited permissions but still maintain the ability to modify content. This makes the attack surface particularly broad as many WordPress sites have multiple contributors who may not be properly vetted or monitored. The stored nature of the vulnerability means that once injected, malicious scripts persist indefinitely until manually removed, potentially affecting all users who view the compromised pages.
Organizations and WordPress administrators should prioritize immediate remediation by updating to the latest version of the Yoast SEO plugin where this vulnerability has been addressed. The fix typically involves implementing proper input validation and output escaping mechanisms for the `jsonText` attribute, ensuring that all user-supplied content undergoes sanitization before being stored in the database. Security best practices recommend implementing Content Security Policy headers, regularly auditing plugin permissions, and monitoring user activities for suspicious modifications. This vulnerability aligns with CWE-79, which defines Cross-Site Scripting as a critical weakness in web applications, and could potentially map to ATT&CK techniques involving credential access and execution through web application vulnerabilities. Regular security assessments and plugin updates form essential components of defending against such persistent threats in WordPress environments.