WWordPress Vulnerability Database

Hong Kong Security NGO Warns Yoast XSS(CVE20263427)

Cross Site Scripting (XSS) in WordPress Yoast SEO Plugin
0
Shares
0
0
0
0






Yoast SEO (<= 27.1.1) Stored XSS (CVE-2026-3427) — Practical Guide for WordPress Site Owners and Administrators


Plugin Name WordPress Yoast SEO Plugin
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-3427
Urgency Low
CVE Publish Date 2026-03-23
Source URL CVE-2026-3427

Yoast SEO (<= 27.1.1) Stored XSS (CVE-2026-3427) — Practical Guide for WordPress Site Owners and Administrators

Author: Hong Kong Security Expert — Date: 2026-03-23

TL;DR

A stored Cross-Site Scripting (XSS) vulnerability in Yoast SEO versions up to and including 27.1.1 (CVE-2026-3427) permits an authenticated user with Contributor privileges to save content (for example in a block attribute named jsonText) that can later execute JavaScript in the browser of an editor or administrator who views or edits that content. The fix is included in Yoast SEO 27.2. Patch promptly; if immediate patching is not possible, apply compensating controls, hunt for suspicious content, and restrict contributor capabilities.

What’s the vulnerability?

  • A stored XSS exists in Yoast SEO versions ≤ 27.1.1.
  • The issue is triggered via the jsonText attribute used by a block (Gutenberg) or other saved content: unescaped HTML can be persisted and later executed in an admin/editor browser context.
  • Exploit prerequisites: an authenticated Contributor-level user to store the payload, and an Editor/Admin to open or edit the affected content (user interaction required).
  • Patched in Yoast SEO 27.2 — sites running earlier versions are vulnerable until updated.

Why this matters — practical risk assessment

Stored XSS is persistent and executes in the security context of trusted users. For Hong Kong-based organisations and editorial teams that rely on collaborative workflows, the consequences can be material:

  • Account compromise of Editor/Admin sessions (cookie theft, token capture).
  • Unauthorized admin actions: creating accounts, modifying plugins/themes, changing site options.
  • Site defacement, SEO spam injection, redirects, or covert data exfiltration.

Constraints that reduce risk: an attacker needs a Contributor account (or equivalent), and a privileged user must open the content. Nonetheless, many sites accept contributors or have multi-author workflows — do not assume safety.

Realistic attack flow

  1. Attacker obtains or creates a Contributor account (registration, stolen credentials, social engineering).
  2. Contributor creates/edits a post or block embedding a payload in a jsonText attribute that includes JavaScript (e.g.,