PatchSiren

Yoast CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Yoast CVE published 2026-06-10

CVE-2026-53740

CVE-2026-53740 is a MEDIUM-severity vulnerability (CVSS Score: 5.1) in the Yoast Duplicate Post plugin for WordPress, affecting versions through 4.6. The vulnerability allows an attacker to inject an unescaped post title and permalink into the Classic Editor scheduled republish notice. By scheduling a republish copy with a crafted title, an attacker can execute a script when an administrator views the res [truncated]

MEDIUM Yoast CVE published 2026-06-10

CVE-2026-53739

CVE-2026-53739 is a medium-severity cross-site request forgery vulnerability in Yoast Duplicate Post through version 4.6. The vulnerability exists in the `duplicate_post_dismiss_notice` handler, which fails to verify a nonce or capability. This allows attackers to trick any authenticated user into sending a request that sets the `duplicate_post_show_notice` site option, effectively suppressing admin notic [truncated]

MEDIUM yoast CVE published 2026-05-27

CVE-2025-14481

CVE-2025-14481 is a medium-severity Insecure Direct Object Reference (IDOR) vulnerability in the Yoast SEO WordPress plugin affecting all versions up to and including 26.5. The vulnerability resides in the Meta Search REST API endpoint, which fails to properly validate post ownership before returning SEO metadata. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by [truncated]