プラットフォーム
wordpress
コンポーネント
wordpress-seo
修正版
27.2.0
CVE-2026-3427 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Yoast SEO WordPress plugin. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to inject arbitrary web scripts. These scripts will then execute whenever a user views a page containing the injected code, potentially leading to account compromise or website defacement. The vulnerability affects versions from 0.0.0 up to and including 27.1.1, with a fix available in version 27.2.
The impact of this XSS vulnerability is significant, particularly given the widespread use of the Yoast SEO plugin. An attacker could inject malicious JavaScript code into a page, which would then be executed in the browsers of any user who visits that page. This could be used to steal user cookies, redirect users to phishing sites, or even deface the website. Because the vulnerability requires only Contributor-level access, it is relatively easy for an attacker to exploit if they have gained a foothold on the WordPress site. The blast radius extends to all users who view the affected pages, potentially impacting a large number of visitors.
As of the publication date (2026-03-22), this CVE has not been listed on KEV or EPSS. The CVSS score of 6.4 indicates a Medium probability of exploitation. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's ease of exploitation suggests it may become a target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.
エクスプロイト状況
EPSS
0.04% (11% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3427 is to upgrade the Yoast SEO plugin to version 27.2 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a temporary workaround. Web Application Firewalls (WAFs) can be configured to filter potentially malicious input in the jsonText field. Carefully review and sanitize all user-supplied data before rendering it on the page. Monitor WordPress logs for suspicious activity, specifically looking for unusual JavaScript execution patterns. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a page and confirming that it is not executed.
Update to version 27.2, or a newer patched version
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3427 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Yoast SEO plugin for WordPress. It allows authenticated attackers with Contributor access to inject malicious scripts into pages, impacting visitors.
You are affected if you are using Yoast SEO versions 0.0.0 through 27.1.1. Check your plugin version and upgrade immediately if you are vulnerable.
Upgrade the Yoast SEO plugin to version 27.2 or later. If an immediate upgrade is not possible, implement WAF rules and carefully sanitize user input.
As of the publication date, there is no public evidence of active exploitation, but the vulnerability's ease of exploitation suggests it may become a target.
Refer to the official Yoast SEO security advisory on their website for the most up-to-date information and details regarding this vulnerability.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。