A new has been disclosed in the widely used Yoast SEO Premium plugin for WordPress, potentially exposing millions of websites to cross-site scripting (XSS) attacks. Tracked as CVE-2025-11241 and rated CVSS 6.4 (Medium severity), the affects plugin versions 25.7 through 25.9.
The arises from a flawed regular expression used to remove attributes in post content. According to the advisory, “The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers.”
This means that attackers with at least Contributor-level access could insert malicious JavaScript payloads directly into posts, which would then execute in the browsers of site administrators or visitors.
The issue is limited to authenticated users with Contributor permissions or higher, making it less severe than unauthenticated XSS . However, it still presents a real risk for websites that allow content submissions from multiple users.
As the report notes, “This vulnerability allows a user with Contributor access or higher to create a post containing a malicious JavaScript payload.”
Such payloads could be used to steal cookies, escalate privileges, or deliver secondary attacks through injected scripts.
The Yoast development team quickly addressed the issue in version 26.0, which includes both and usability improvements. The changelog states: “Fixes a defect where users with edit_posts capabilities (Contributor+) could execute stored cross-site scripting if the plugin’s AI feature was enabled.”
Other fixes in this release include:
- Resolving redirect removal issues.
- Correcting RTL language tooltip bugs.
- Fixing persistent filter and search values when switching tabs on the redirects page.
Additionally, Yoast bumped the minimum required version to 26.0, ensuring that users adopt the patched release.
- Azure Key Vault Vulnerability: Exploiting Role Misconfigurations for Privilege Escalation
- Yoast SEO Flaw Exposes Millions of WordPress Sites to Attack
- Security Flaw Found in Popular Yoast SEO Plugin – Update Immediately!
- Elementor Exposed 5 Million Websites to Hackers
- Premium Panel Phishing Toolkit Exposed: Two Years of Global Attacks
