CVE-2026-53740 is a MEDIUM-severity vulnerability (CVSS Score: 5.1) in the Yoast Duplicate Post plugin for WordPress, affecting versions through 4.6. The vulnerability allows an attacker to inject an unescaped post title and permalink into the Classic Editor scheduled republish notice. By scheduling a republish copy with a crafted title, an attacker can execute a script when an administrator views the res [truncated]
CVE-2026-53739 is a medium-severity cross-site request forgery vulnerability in Yoast Duplicate Post through version 4.6. The vulnerability exists in the `duplicate_post_dismiss_notice` handler, which fails to verify a nonce or capability. This allows attackers to trick any authenticated user into sending a request that sets the `duplicate_post_show_notice` site option, effectively suppressing admin notic [truncated]
CVE-2025-14481 is a medium-severity Insecure Direct Object Reference (IDOR) vulnerability in the Yoast SEO WordPress plugin affecting all versions up to and including 26.5. The vulnerability resides in the Meta Search REST API endpoint, which fails to properly validate post ownership before returning SEO metadata. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by [truncated]