VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 18 known issues Latest disclosed Mar 21, 2026

Yoast SEO – Advanced SEO with real-time guidance and built-in AI Vulnerabilities

Review known vulnerability records for the WordPress plugin Yoast SEO – Advanced SEO with real-time guidance and built-in AI (`wordpress-seo`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
18
High or Critical
2
Linked CVEs
13
Last Updated
Mar 22, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Yoast SEO – Advanced SEO with real-time guidance and built-in AI so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
18 records include a published patch path.
Severity Mix
0 critical and 2 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Yoast SEO – Advanced SEO with real-time guidance and built-in AI

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-3427
Yoast SEO <= 27.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'jsonText' Block Attribute

The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `jsonText` block attribute in all versions up to, and including, 27.1.1 due to insufficient input sanitization and output escaping. T...

Published
Mar 21, 2026
Patched Release
27.2
Affected Versions
Versions up to 27.1.1
Next Step
Update to 27.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1293
Yoast SEO <= 26.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'yoast-schema' Block Attribute

The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping....

Published
Feb 05, 2026
Patched Release
26.9
Affected Versions
Versions up to 26.8
Next Step
Update to 26.9 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-4984
Yoast SEO <= 22.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contr...

Published
May 14, 2024
Patched Release
22.7
Affected Versions
Versions up to 22.6
Next Step
Update to 22.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-4041
Yoast SEO <= 22.5 - Reflected Cross-Site Scripting

The Yoast SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 22.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts...

Published
May 06, 2024
Patched Release
22.6
Affected Versions
Versions up to 22.5
Next Step
Update to 22.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-40680
Yoast SEO <= 21.0 - Authenticated (Seo Manager+) Stored Cross-Site Scripting

The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 21.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with seo manager-level access and above, to injec...

Published
Nov 24, 2023
Patched Release
21.1
Affected Versions
Versions up to 21.0
Next Step
Update to 21.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes
Yoast SEO <= 20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Yoast SEO plugin for WordPress is vulnerable to DOM-based Cross-Site Scripting via individual post SEO details in versions up to, and including, 20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributo...

Published
Mar 02, 2023
Patched Release
20.2.1
Affected Versions
Versions up to 20.2
Next Step
Update to 20.2.1 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes CVE-2021-25118
Yoast SEO <= 17.2 - Full Path Disclosure

The Yoast SEO plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 17.2 via the /wp/v2/posts REST endpoints that discloses the full internal path of featured images from posts. This makes it possible for unauthenticated attackers to extr...

Published
Oct 05, 2021
Patched Release
17.3
Affected Versions
Versions before 17.3
Next Step
Update to 17.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2019-13478
Yoast SEO <= 11.5 - Authenticated Stored Cross Site Scripting

The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via term descriptions in versions up to, and including, 11.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with post editor access to i...

Published
Jul 09, 2019
Patched Release
11.6-RC5
Affected Versions
Versions up to 11.5
Next Step
Update to 11.6-RC5 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2018-19370
Yoast SEO <= 9.1.0 - Race Condition to Remote Code Execution

A Race condition vulnerability in unzip_file in admin/import/class-import-settings.php in the Yoast SEO (wordpress-seo) plugin before 9.2.0 for WordPress allows an SEO Manager to perform command execution on the Operating System via a ZIP import.

Published
Nov 06, 2018
Patched Release
9.2.0
Affected Versions
Versions up to 9.1.0
Next Step
Update to 9.2.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2017-16842
Yoast SEO <= 5.7.1 - Reflected Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML.

Published
Nov 22, 2017
Patched Release
5.8.0
Affected Versions
Versions up to 5.7.1
Next Step
Update to 5.8.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-24153
Yoast SEO <= 3.4.0 - Authenticated Stored Cross-Site Scripting

A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting parentheses as well as several functions such as alert, but bypasses were found.

Published
Aug 02, 2016
Patched Release
3.4.1
Affected Versions
Versions before 3.4.1
Next Step
Update to 3.4.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes
Yoast SEO <= 3.2.5 - Cross-Site Scripting

The Yoast SEO plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 3.2.5 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser.

Published
Jun 14, 2016
Patched Release
3.3.0
Affected Versions
Versions up to 3.2.5
Next Step
Update to 3.3.0 or newer if supported.
Open Full Report