CVE-2025-11241

Published Oct 3, 2025

Last updated 5 months ago

CVSS medium 6.4
Yoast

Overview

Description
The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. This vulnerability allows a user with Contributor access or higher to create a post containing a malicious JavaScript payload.
Source
security@wordfence.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
6.4
Impact score
2.7
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security@wordfence.com
CWE-80

Social media

Hype score
Not currently trending

  1. WordPress有料プラグイン「Yoast SEO Premium」でXSS脆弱性(CVE-2025-11241)が報告されました。 v25.7〜v25.9をお使いの方は、必ずv26.0以上へアップデートを。 #WordPress #セキュリティ #脆弱性 https://t.co/yZKlGplmNQ

    @accell_mo_kun

    24 Oct 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. WordPressの有料 プラグイン「Yoast SEO Premium」にXSS脆弱性(CVE-2025-11241) https://t.co/0CfKsrnb5T #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    6 Oct 2025

    73 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CRITICAL ZERO-DAY: Yoast SEO Flaw (CVE-2025-11241) Exposes 10+ Million WordPress Sites to Complete Takeover. Read the full report on - https://t.co/7nNszqGnLD https://t.co/3KjPGPz2hu

    @cyberbivash

    3 Oct 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.CVE-2026-1293
  2. The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the post editor.CVE-2025-15019
  3. The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.CVE-2024-4984
  4. The Yoast SEO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 22.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.CVE-2024-4041
  5. Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Yoast Yoast SEO: Local plugin <= 14.8 versions.CVE-2023-32300

References

Sources include official advisories and independent security research.