Yoast Seo
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Yoast Seo.
By the Year
In 2026 there have been 1 vulnerability in Yoast Seo with an average score of 6.4 out of ten. Yoast Seo did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 6.40 |
| 2025 | 0 | 0.00 |
| 2024 | 2 | 5.70 |
| 2023 | 3 | 5.80 |
| 2022 | 1 | 5.30 |
| 2021 | 3 | 5.73 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 0.00 |
| 2018 | 1 | 6.60 |
It may take a day or so for new Yoast Seo vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Yoast Seo Security Vulnerabilities
Yoast SEO WP plugin Stored XSS via yoast-schema block attr <=26.8
CVE-2026-1293
6.4 - Medium
- February 06, 2026
The Yoast SEO Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Yoast SEO Premium <=20.4 Missing Auth Vulnerability
CVE-2023-28775
5.3 - Medium
- June 11, 2024
Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through 20.4.
AuthZ
Yoast SEO <=22.5 Reflected XSS via URL Parameter
CVE-2024-4041
6.1 - Medium
- May 14, 2024
The Yoast SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 22.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
XSS
Yoast SEO WP Plugin 21.0: Stored XSS via Improper Input Neutralization
CVE-2023-40680
4.8 - Medium
- November 30, 2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team Yoast Yoast SEO allows Stored XSS.This issue affects Yoast SEO: from n/a through 21.0.
XSS
Yoast SEO: Local <=14.8 Unauth Reflected XSS
CVE-2023-32300
6.1 - Medium
- August 23, 2023
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Yoast Yoast SEO: Local plugin <= 14.8 versions.
XSS
Yoast SEO: Local <=14.9 XSS in Stored Content
CVE-2023-28785
6.5 - Medium
- May 28, 2023
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Yoast Yoast SEO: Local plugin <= 14.9 versions.
XSS
The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts
CVE-2021-25118
5.3 - Medium
- February 28, 2022
The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.
Information Disclosure
The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3
CVE-2021-36788
5.4 - Medium
- August 13, 2021
The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3 allows XSS.
XSS
The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3
CVE-2021-31779
6.4 - Medium
- April 28, 2021
The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account.
SSRF
A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1
CVE-2021-24153
5.4 - Medium
- April 05, 2021
A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found.
XSS
The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions.
CVE-2019-13478
- July 09, 2019
The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly restrict unfiltered HTML in term descriptions.
A Race condition vulnerability in unzip_file in admin/import/class-import-settings.php in the Yoast SEO (wordpress-seo) plugin before 9.2.0 for WordPress
CVE-2018-19370
6.6 - Medium
- November 28, 2018
A Race condition vulnerability in unzip_file in admin/import/class-import-settings.php in the Yoast SEO (wordpress-seo) plugin before 9.2.0 for WordPress allows an SEO Manager to perform command execution on the Operating System via a ZIP import.
Race Condition
