Yoast
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Yoast product.
RSS Feeds for Yoast security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Yoast products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Yoast Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 5 vulnerabilities in Yoast with an average score of 5.6 out of ten. Yoast did not have any published security vulnerabilities last year. That is, 5 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 5 | 5.60 |
| 2025 | 0 | 0.00 |
| 2024 | 3 | 5.93 |
| 2023 | 4 | 5.98 |
| 2022 | 2 | 5.70 |
| 2021 | 3 | 5.73 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 0.00 |
| 2018 | 1 | 6.60 |
It may take a day or so for new Yoast vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Yoast Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-14481 | May 27, 2026 |
Yoast SEO plugin <=26.5 IDOR via Meta Search REST APIThe Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts. |
|
| CVE-2026-3427 | Mar 22, 2026 |
Yoast SEO Plugin 27.1.1 Stored XSS via jsonText attributeThe Yoast SEO Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `jsonText` block attribute in all versions up to, and including, 27.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
|
| CVE-2026-1217 | Mar 18, 2026 |
Yoast Duplicate Post <4.5: Auth Data Mod via Missing Cap CheckThe Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone_bulk_action_handler() and republish_request() functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate any post on the site including private, draft, and trashed posts they shouldn't have access to. Additionally, attackers with Author-level access and above can use the Rewrite & Republish feature to overwrite any published post with their own content. |
|
| CVE-2019-25314 | Feb 11, 2026 |
Yoast Duplicate-Post Plugin 3.2.3: Persistent XSS in Settings ParamsYoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces. |
|
| CVE-2026-1293 | Feb 06, 2026 |
Yoast SEO WP plugin Stored XSS via yoast-schema block attr <=26.8The Yoast SEO Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Yoast Seo
|
| CVE-2023-28775 | Jun 11, 2024 |
Yoast SEO Premium <=20.4 Missing Auth VulnerabilityMissing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through 20.4. |
Yoast Seo
Wordpress Seo Premium
|
| CVE-2024-4984 | May 16, 2024 |
Yoast SEO Stored XSS via display_name meta <=22.6 (contributor+ access)The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the display_name author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
|
| CVE-2024-4041 | May 14, 2024 |
Yoast SEO <=22.5 Reflected XSS via URL ParameterThe Yoast SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 22.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
Yoast Seo
|
| CVE-2023-40680 | Nov 30, 2023 |
Yoast SEO WP Plugin 21.0: Stored XSS via Improper Input NeutralizationImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team Yoast Yoast SEO allows Stored XSS.This issue affects Yoast SEO: from n/a through 21.0. |
Yoast Seo
|
| CVE-2023-28780 | Nov 18, 2023 |
Yoast Local Premium <=14.8 CSRF via 'add_location' endpointCross-Site Request Forgery (CSRF) vulnerability in Yoast Yoast Local Premium.This issue affects Yoast Local Premium: from n/a through 14.8. |
Yoast Local Seo
|