{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1293", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-21T16:53:09.134Z", "datePublished": "2026-02-06T11:21:30.973Z", "dateUpdated": "2026-04-08T17:05:48.147Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:48.147Z"}, "affected": [{"vendor": "yoast", "product": "Yoast SEO \u2013 Advanced SEO with real-time guidance and built-in AI", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "26.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Yoast SEO \u2013 Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Yoast SEO <= 26.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'yoast-schema' Block Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2e7c2d-ed2f-439b-9cee-f2e5d46121b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/presenters/schema-presenter.php#L49"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/inc/class-wpseo-utils.php#L915"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/generators/schema-generator.php#L188"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "suyoung kim"}], "timeline": [{"time": "2026-01-09T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-05T22:18:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T12:27:02.594220Z", "id": "CVE-2026-1293", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T12:27:32.895Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1293", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T12:27:02.594220Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T12:27:22.998Z"}}], "cna": {"title": "Yoast SEO <= 26.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'yoast-schema' Block Attribute", "credits": [{"lang": "en", "type": "finder", "value": "suyoung kim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "yoast", "product": "Yoast SEO \u2013 Advanced SEO with real-time guidance and built-in AI", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "26.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-09T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-02-05T22:18:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2e7c2d-ed2f-439b-9cee-f2e5d46121b6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/presenters/schema-presenter.php#L49"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/inc/class-wpseo-utils.php#L915"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/generators/schema-generator.php#L188"}], "descriptions": [{"lang": "en", "value": "The Yoast SEO \u2013 Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:48.147Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1293", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:48.147Z", "dateReserved": "2026-01-21T16:53:09.134Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-06T11:21:30.973Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Yoast SEO \u2013 Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Yoast SEO \u2013 SEO avanzado con gu\u00eda en tiempo real e IA integrada para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del atributo de bloque 'yoast-schema' en todas las versiones hasta la 26.8, inclusive, debido a sanitizaci\u00f3n de entrada y escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de nivel Colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1293", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-06T12:16:25.133", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/inc/class-wpseo-utils.php#L915"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/generators/schema-generator.php#L188"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/presenters/schema-presenter.php#L49"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2e7c2d-ed2f-439b-9cee-f2e5d46121b6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:45:06.086574+00:00", "value": {"mitigation_remediation": ["Upgrade Yoast SEO to version 26.9 or later, which removes the vulnerable block attribute handling.", "Limit the use of Contributor or higher roles to trusted users or revoke such access when not needed to prevent unauthorized script injection.", "Implement a site\u2011wide script filter or CSP that disallows inline scripts from unknown sources to mitigate the impact of any leftover malicious code."], "summary": {"action": "Apply Patch", "impact": "Authenticated Stored Cross-Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is Yoast SEO \u2013 Advanced SEO with real-time guidance and built-in AI for WordPress. All releases up to and including version 26.8 are vulnerable. Systems running WordPress with an active Yoast SEO installation and contributor or higher level access are at risk.", "description_and_impact": "The vulnerability occurs when user-supplied data is inserted into the yoast-schema block attribute without adequate sanitization or escaping, allowing an attacker to embed malicious JavaScript. The injected payload is persisted in the database and is executed on every page view, giving the attacker a persistent foothold. This yields confidentiality and integrity compromise for any user who visits the compromised page, as well as potential defacement or phishing attacks. The weakness is categorized as CWE\u201179, a classic reflected XSS that becomes stored.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% suggests the likelihood of exploitation is low. It is not listed in the CISA KEV catalog, so no known active exploits have been recorded. The attack vector requires the attacker to be authenticated with Contributor\u2011level privileges or higher and to edit or insert a page using the yoast-schema block. Once the payload is stored, any visitor to the affected page will execute the injected script, making the compromise highly actionable for the attacker."}}}}, "created": "2026-02-09T10:52:31.339304+00:00", "updated": "2026-04-15T18:45:11.467618+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "yoast", "yoast$PRODUCT$yoast_seo"]}