PT-2026-39946 · WordPress · Wp Seo Structured Data Schema
Published
2026-05-12
·
Updated
2026-05-12
·
CVE-2026-3604
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WP SEO Structured Data Schema versions prior to 2.8.2
Description
The plugin is subject to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping within the
kcseo ative tab parameter. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.Recommendations
Update to a version newer than 2.8.1.
As a temporary workaround, restrict access to the
kcseo ative tab parameter to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Seo Structured Data Schema