PT-2026-39946 · WordPress · Wp Seo Structured Data Schema

Published

2026-05-12

·

Updated

2026-05-12

·

CVE-2026-3604

CVSS v3.1

4.9

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions WP SEO Structured Data Schema versions prior to 2.8.2
Description The plugin is subject to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping within the kcseo ative tab parameter. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.
Recommendations Update to a version newer than 2.8.1. As a temporary workaround, restrict access to the kcseo ative tab parameter to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-3604

Affected Products

Wp Seo Structured Data Schema