cleantalk
Vulnerabilities and Security Researches

Yoast SEO, CVE-2026-1293

CVE, Research URL

CVE-2026-1293

Home page URL

Security reports for Yoast SEO

Application

Yoast SEO

Published on
Feb 06, 2026
Research Description
The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 26.9.
Status
vulnerable
Previous vulnerability researches
Doofinder WP & WooCommerce Search (CVE-2023-40602) , Jun 07, 2024
Doofinder WP & WooCommerce Search (CVE-2023-49185) , Jun 07, 2024
Doofinder WP & WooCommerce Search (CVE-2023-51678) , Jun 07, 2024
Doofinder WP & WooCommerce Search (CVE-2024-25596) , Jun 07, 2024
Doofinder WP & WooCommerce Search (CVE-2026-39542) , Apr 14, 2026
New vulnerability
All-in-One Video Gallery (CVE-2026-1706) , Apr 15, 2026
Simple Membership (CVE-2026-34886) , Apr 15, 2026
Simple Membership (CVE-2026-1461) , Apr 15, 2026
WP-DownloadManager (CVE-2026-2426) , Apr 15, 2026
WP-DownloadManager (CVE-2026-2419) , Apr 15, 2026