CVE-2026-4142

Name of the Vulnerable Software and Affected Versions Sentence To SEO versions prior to 1.1

Description The Sentence To SEO plugin for WordPress contains a Stored Cross-Site Scripting issue. The problem occurs because the plugin fails to properly sanitize input and escape output for the 'Permanent keywords' field. Specifically, user input is processed via the filter input array(INPUT POST) function without HTML sanitization and stored in the WordPress options table using update option(). The stored value is then rendered in a textarea element using PHP short echo tags without escaping. This allows authenticated attackers with administrator-level access or higher to inject arbitrary HTML or JavaScript by using a closing tag, which executes when a user visits the plugin settings page.

Recommendations Update the plugin to a version later than 1.0.