Platform
wordpress
Component
wordpress-seo
Opgelost in
26.8.1
CVE-2026-1293 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Yoast SEO plugin for WordPress. This vulnerability allows authenticated attackers, possessing Contributor-level access or higher, to inject malicious web scripts into pages. Successful exploitation can lead to the execution of arbitrary JavaScript code in the browsers of users who subsequently access those pages, potentially compromising their sessions or stealing sensitive information. The vulnerability affects versions 0.0.0 through 26.8, and a patch is available in version 26.9.
An attacker exploiting this XSS vulnerability could execute arbitrary JavaScript code within the context of a user's browser session. This could lead to various malicious outcomes, including session hijacking, redirection to phishing sites, defacement of the website, or the theft of sensitive data like user credentials or personal information. The impact is amplified if the website is used for e-commerce or handles sensitive user data, as attackers could potentially gain access to financial information or other confidential details. The stored nature of the XSS means the injected script persists until removed, potentially affecting numerous users over time. This vulnerability shares similarities with other XSS attacks where malicious scripts are injected into trusted websites to compromise user accounts and data.
CVE-2026-1293 was published on February 6, 2026. Its severity is currently assessed as Medium. There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not listed on CISA Known Exploited Vulnerabilities (KEV) catalog. The EPSS score is pending evaluation, but given the lack of public exploits, the probability of exploitation is currently considered low.
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-1293 is to immediately upgrade the Yoast SEO plugin to version 26.9 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by sanitizing user input within the yoast-schema block attribute. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of defense. Monitor WordPress logs for suspicious activity, particularly requests involving the yoast-schema block, and implement strict access controls to limit user privileges to the minimum necessary.
Update to version 26.9, or a newer patched version
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1293 is a Stored Cross-Site Scripting (XSS) vulnerability in the Yoast SEO WordPress plugin, allowing authenticated attackers to inject malicious scripts via the yoast-schema block attribute, affecting versions 0.0.0–26.8.
You are affected if you are using Yoast SEO versions 0.0.0 through 26.8 and have users with Contributor access or higher.
Upgrade the Yoast SEO plugin to version 26.9 or later. As a temporary workaround, sanitize user input within the yoast-schema block attribute.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-1293.
Refer to the official Yoast SEO website and WordPress security announcements for the latest advisory regarding CVE-2026-1293.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.