CVE-2026-53740

MEDIUM NVD

CVSS Score 5.4

Severity MEDIUM

Published Jun 10, 2026

Vendor unknown

Description

Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.

References

https://wordpress.org/plugins/duplicate-post/
https://www.vulncheck.com/advisories/yoast-duplicate-post-through-stored-cross-site-scripting-via-scheduled-republish-notice