Stored Cross-Site Scripting Vulnerability in Yoast SEO Premium Plugin for WordPress
CVE-2025-11241

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Yoast Seo Premium
Vendor: CVE Published:; 3 October 2025

What is CVE-2025-11241?

The Yoast SEO Premium plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability, primarily due to an inadequate regex implementation used to sanitize post content. This flaw allows users with Contributor or higher permissions to inject arbitrary HTML attributes, including harmful JavaScript event handlers, into posts. Consequently, this can lead to the execution of malicious scripts on affected websites, compromising site integrity and user data security.

Affected Version(s)

Yoast SEO Premium 25.7 <= 25.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://developer.yoast.com/changelog/yoast-seo-premium/2...

https://sec.stealthcopter.com/regexss/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 3, 2025
Vulnerability Reserved
Oct 2, 2025

Credit

Matthew Rollings

JSON