EXECUTIVE SUMMARY:
A critical vulnerability in the Yoast SEO Premium WordPress plugin, tracked as CVE-2025-11241 with a CVSS score of 6.4, allows Contributor-level or higher users to perform stored cross-site scripting (XSS) attacks by exploiting a flawed regular expression that fails to properly sanitize post content. This flaw enables attackers to inject arbitrary HTML attributes, including malicious JavaScript, which could execute in the browsers of administrators or visitors, potentially leading to cookie theft, privilege escalation, or secondary attacks. The issue affects versions 25.7 through 25.9, and while limited to authenticated users, it poses a significant risk on multi-author websites. Yoast addressed the vulnerability in version 26.0, which also includes fixes for redirect removal, RTL tooltips, and persistent filter issues, while raising the minimum required plugin version to ensure the patched release is adopted.
RECOMMENDATION:
We strongly recommend you update Yoast SEO Premium WordPress plugin to version 26.0
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/yoast-seo-premium-flaw-stored-xss-bug-cve-2025-11241-exposes-millions-of-wordpress-sites/