平台
wordpress
组件
wordpress-seo
修复版本
27.2.0
CVE-2026-3427 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Yoast SEO WordPress plugin. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to inject arbitrary web scripts. These scripts will then execute whenever a user views a page containing the injected code, potentially leading to account compromise or website defacement. The vulnerability affects versions from 0.0.0 up to and including 27.1.1, with a fix available in version 27.2.
The impact of this XSS vulnerability is significant, particularly given the widespread use of the Yoast SEO plugin. An attacker could inject malicious JavaScript code into a page, which would then be executed in the browsers of any user who visits that page. This could be used to steal user cookies, redirect users to phishing sites, or even deface the website. Because the vulnerability requires only Contributor-level access, it is relatively easy for an attacker to exploit if they have gained a foothold on the WordPress site. The blast radius extends to all users who view the affected pages, potentially impacting a large number of visitors.
As of the publication date (2026-03-22), this CVE has not been listed on KEV or EPSS. The CVSS score of 6.4 indicates a Medium probability of exploitation. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's ease of exploitation suggests it may become a target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-3427 is to upgrade the Yoast SEO plugin to version 27.2 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a temporary workaround. Web Application Firewalls (WAFs) can be configured to filter potentially malicious input in the jsonText field. Carefully review and sanitize all user-supplied data before rendering it on the page. Monitor WordPress logs for suspicious activity, specifically looking for unusual JavaScript execution patterns. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into a page and confirming that it is not executed.
Update to version 27.2, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3427 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Yoast SEO plugin for WordPress. It allows authenticated attackers with Contributor access to inject malicious scripts into pages, impacting visitors.
You are affected if you are using Yoast SEO versions 0.0.0 through 27.1.1. Check your plugin version and upgrade immediately if you are vulnerable.
Upgrade the Yoast SEO plugin to version 27.2 or later. If an immediate upgrade is not possible, implement WAF rules and carefully sanitize user input.
As of the publication date, there is no public evidence of active exploitation, but the vulnerability's ease of exploitation suggests it may become a target.
Refer to the official Yoast SEO security advisory on their website for the most up-to-date information and details regarding this vulnerability.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。