CVE-2026-40722 Yoast BV CVE debrief

Who should care

WordPress users with Yoast SEO Premium installed, particularly those using versions up to 26.6, should be aware of this vulnerability. Site administrators and security teams should assess their exposure and take necessary precautions.

Technical summary

The CVE-2026-40722 vulnerability is caused by a Missing Authorization issue in Yoast SEO Premium. This allows attackers to exploit incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.5 and is classified as MEDIUM severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L. The weakness is categorized as CWE-862.

Defensive priority

MEDIUM

Recommended defensive actions

• Update Yoast SEO Premium to a version beyond 26.6
• Review and correct access control configurations for the plugin
• Monitor plugin usage and access logs for suspicious activity
• Implement additional security measures, such as firewall rules and intrusion detection
• Regularly update and patch all WordPress plugins and themes
• Consider using a Web Application Firewall (WAF) to detect and prevent attacks

Evidence notes

The vulnerability information is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE record and NVD detail pages provide official information about the vulnerability. The Patchstack reference provides additional mitigation details.

Official resources