Stored Cross-Site Scripting Vulnerability in Yoast SEO Premium Plugin for WordPress
CVE-2025-11241

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Yoast Seo Premium
Vendor: CVE Published:; 3 October 2025

What is CVE-2025-11241?

The Yoast SEO Premium plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability, primarily due to an inadequate regex implementation used to sanitize post content. This flaw allows users with Contributor or higher permissions to inject arbitrary HTML attributes, including harmful JavaScript event handlers, into posts. Consequently, this can lead to the execution of malicious scripts on affected websites, compromising site integrity and user data security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Yoast SEO Premium 25.7 <= 25.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://developer.yoast.com/changelog/yoast-seo-premium/2...

https://sec.stealthcopter.com/regexss/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 3, 2025
Vulnerability Reserved
Oct 2, 2025

Credit

Matthew Rollings

JSON

WordPress