CVE Catalog

CVE-2026-53740

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile — higher than 9% of all known CVEs

Summary

The Yoast Duplicate Post plugin up to version 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.

Risk Assessment

This vulnerability may lead to the execution of malicious scripts in the context of an administrator, posing a risk of system takeover or data theft.

Recommendation

It is recommended to update the Yoast Duplicate Post plugin to the latest version to eliminate this vulnerability. Additionally, monitoring and restricting access to editor functions for users with lower privileges is advisable.

Original NVD description (English source)

Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS