Stored Cross-Site Scripting Vulnerability in Yoast SEO Plugin for WordPress
CVE-2026-3427

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai
Vendor: CVE Published:; 22 March 2026

What is CVE-2026-3427?

The Yoast SEO plugin for WordPress contains a vulnerability that allows authenticated users with Contributor-level access or higher to exploit the plugin via the jsonText block attribute. This insufficient input sanitization and output escaping results in the potential injection of arbitrary web scripts into pages. When these pages are accessed by users, the injected scripts can execute, compromising site security and possibly leading to further exploitation.

Affected Version(s)

Yoast SEO – Advanced SEO with real-time guidance and built-in AI 0 <= 27.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wordpress-seo/...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2026
Vulnerability Reserved
Mar 2, 2026

Credit

Osvaldo Noe Gonzalez Del Rio

CVE-2026-3427 Data

JSON