CVE-2026-53740 Yoast CVE debrief

Who should care

Administrators and users of WordPress sites utilizing the Yoast Duplicate Post plugin through version 4.6 should prioritize updating to a patched version to mitigate this vulnerability.

Technical summary

The Yoast Duplicate Post plugin for WordPress inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. This allows attackers to schedule a republish copy with a crafted title to execute a script when an administrator views the resulting notice, enabling stored Cross-Site Scripting (XSS) attacks.

Defensive priority

High

Recommended defensive actions

• Update the Yoast Duplicate Post plugin to a version beyond 4.6.
• Review and sanitize all post titles and permalinks used in conjunction with the plugin.
• Monitor for suspicious activity related to the Classic Editor scheduled republish notice.

Evidence notes

Evidence suggests that the vulnerability exists within the Yoast Duplicate Post plugin, specifically affecting versions through 4.6. [ref-4](https://wordpress.org/plugins/duplicate-post/) and [ref-5](https://www.vulncheck.com/advisories/yoast-duplicate-post-through-stored-cross-site-scripting-via-scheduled-republish-notice) provide additional context and details about the vulnerability.

Official resources