CVE-2026-57764 in Yoast SEO Breadcrumb Shortcode Plugininfo

Summary

by MITRE • 07/02/2026

Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/02/2026

This vulnerability represents a cross site scripting flaw that affects the Surbma | Yoast SEO Breadcrumb Shortcode plugin for WordPress, specifically impacting versions up to and including 1.2. The issue stems from inadequate input validation and output escaping mechanisms within the plugin's shortcode implementation. When users insert breadcrumb shortcodes into their WordPress content, the plugin fails to properly sanitize user-supplied parameters before rendering them in the browser context. This allows authenticated contributors with sufficient privileges to inject malicious javascript code through crafted shortcode attributes that are then executed in the browsers of other users who view the affected pages.

The technical flaw manifests in how the plugin processes and displays breadcrumb navigation elements generated via shortcodes. Attackers can exploit this by crafting malicious input parameters that bypass standard sanitization routines, typically by leveraging the plugin's handling of category, tag, or custom taxonomy parameters within the shortcode structure. The vulnerability enables attackers to execute arbitrary javascript code within the context of a victim's browser session, potentially leading to session hijacking, data theft, or redirection to malicious sites. This particular weakness aligns with CWE-79 which categorizes cross site scripting as a critical web application security flaw that occurs when applications fail to properly escape output.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a persistent vector for compromising contributor accounts within WordPress environments. Since the vulnerability affects users who can create and edit content, an attacker who gains access to such credentials can establish a foothold within the target website's ecosystem. The attack surface is particularly concerning in shared hosting environments where multiple contributors may have varying levels of access. This vulnerability also creates potential for privilege escalation if attackers can leverage the XSS to capture admin sessions or manipulate content in ways that affect site integrity.

Mitigation strategies should focus on immediate plugin updates to versions that address the identified XSS vulnerability, as well as implementing comprehensive input validation at multiple layers within the application architecture. Organizations should enforce strict output encoding practices and consider implementing content security policies to limit script execution capabilities. Additionally, administrators should review user permissions and implement role-based access controls to minimize the potential impact of compromised contributor accounts. The remediation process must also include thorough code auditing of all shortcode implementations and input handling routines within WordPress plugins to prevent similar vulnerabilities from persisting in other components of the system.

This vulnerability demonstrates how seemingly minor implementation flaws in plugin development can create significant security risks within content management systems. The attack pattern follows typical threat actor methodologies described in the mitre att&ck framework under the initial access and execution phases, where attackers leverage application-level vulnerabilities to establish persistent access to target systems. Security practitioners should monitor for similar patterns in other plugins and maintain updated vulnerability databases to quickly identify and remediate such issues across their WordPress installations.

Responsible

Patchstack

Reservation

06/25/2026

Disclosure

07/02/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!