Plateforme
wordpress
Composant
wordpress-seo
Corrigé dans
27.2.0
CVE-2026-3427 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Yoast SEO WordPress plugin. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to inject arbitrary web scripts. These scripts will then execute whenever a user views a page containing the injected code, potentially leading to account compromise or website defacement. The vulnerability affects versions from 0.0.0 up to and including 27.1.1, with a fix available in version 27.2.
The impact of this XSS vulnerability is significant, particularly given the widespread use of the Yoast SEO plugin. An attacker could inject malicious JavaScript code into a page, which would then be executed in the browsers of any user who visits that page. This could be used to steal user cookies, redirect users to phishing sites, or even deface the website. Because the vulnerability requires only Contributor-level access, it is relatively easy for an attacker to exploit if they have gained a foothold on the WordPress site. The blast radius extends to all users who view the affected pages, potentially impacting a large number of visitors.
As of the publication date (2026-03-22), this CVE has not been listed on KEV or EPSS. The CVSS score of 6.4 indicates a Medium probability of exploitation. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's ease of exploitation suggests it may become a target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-3427 is to upgrade the Yoast SEO plugin to version 27.2 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a temporary workaround. Web Application Firewalls (WAFs) can be configured to filter potentially malicious input in the jsonText field. Carefully review and sanitize all user-supplied data before rendering it on the page. Monitor WordPress logs for suspicious activity, specifically looking for unusual JavaScript execution patterns. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a page and confirming that it is not executed.
Update to version 27.2, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-3427 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Yoast SEO plugin for WordPress. It allows authenticated attackers with Contributor access to inject malicious scripts into pages, impacting visitors.
You are affected if you are using Yoast SEO versions 0.0.0 through 27.1.1. Check your plugin version and upgrade immediately if you are vulnerable.
Upgrade the Yoast SEO plugin to version 27.2 or later. If an immediate upgrade is not possible, implement WAF rules and carefully sanitize user input.
As of the publication date, there is no public evidence of active exploitation, but the vulnerability's ease of exploitation suggests it may become a target.
Refer to the official Yoast SEO security advisory on their website for the most up-to-date information and details regarding this vulnerability.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.