🔎 Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

Yoast SEO

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > Yoast SEO

Information

Software Type	Plugin
Software Slug	wordpress-seo (view on wordpress.org)
Software Status	Active
Software Author	yoast
Software Website	yoa.st
Software Downloads	699,765,266
Software Active Installs	10,000,000
Software Record Last Updated	July 26, 2024

16 Vulnerabilities

Yoast SEO <= 22.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-4984

May 14, 2024

Researcher: rob006

Yoast SEO <= 22.5 - Reflected Cross-Site Scripting

6.1

CVE-2024-4041

May 6, 2024

Researcher: Bassem Essam

Yoast SEO <= 21.0 - Authenticated (Seo Manager+) Stored Cross-Site Scripting

5.5

CVE-2023-40680

Nov 24, 2023

Researcher: Rafie Muhammad

Yoast SEO <= 20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE ID Unknown

Mar 2, 2023

Researcher: Leonidas Milosis

Yoast SEO <= 17.2 - Full Path Disclosure

5.3

CVE-2021-25118

Oct 5, 2021

Researcher: Fariq Fadillah Gusti Insani (fariqfgi)

Yoast SEO <= 11.5 - Authenticated Stored Cross Site Scripting

6.4

CVE-2019-13478

Jul 9, 2019

Researcher: Sybre Waaijer

Yoast SEO <= 9.1.0 - Race Condition to Remote Code Execution

6.6

CVE-2018-19370

Nov 6, 2018

Researchers:

Yoast SEO <= 5.7.1 - Reflected Cross-Site Scripting

6.1

CVE-2017-16842

Nov 22, 2017

Researcher: Elias Dimopoulos

Yoast SEO <= 3.4.0 - Authenticated Stored Cross-Site Scripting

5.4

CVE-2021-24153

Aug 2, 2016

Researcher: Hammad Shamsi

Yoast SEO <= 3.2.5 - Cross-Site Scripting

4.7

CVE ID Unknown

Jun 14, 2016

Researchers:

Yoast SEO <= 3.2.4 - Sensitive Data Exposure

5.3

CVE ID Unknown

May 6, 2016

Researcher: Panagiotis Vagenas

Yoast SEO <= 2.0.1 - Reflected Cross-Site Scripting

6.1

CVE ID Unknown

Apr 20, 2015

Researchers:

Yoast SEO <= 1.7.3.3 - Blind SQL Injection

8.8

CVE-2015-2292

Mar 11, 2015

Researcher: Ryan Dewhurst

Yoast SEO <= 1.7.3.3 - Cross-Site Request Forgery

7.5

CVE-2015-2293

Mar 10, 2015

Researcher: Ryan Dewhurst

Yoast SEO <= 1.4.6 - Missing Authorization

6.5

CVE ID Unknown

Aug 1, 2014

Researchers:

Yoast SEO <= 2.1.1 - Cross Site Scripting via post_title parameter

6.1

CVE-2012-6692

Oct 31, 2012

Researchers:

Title	Status	CVE ID	CVSS	Researchers	Date
Yoast SEO <= 22.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	Patched	CVE-2024-4984	6.4	rob006	May 14, 2024
Yoast SEO <= 22.5 - Reflected Cross-Site Scripting	Patched	CVE-2024-4041	6.1	Bassem Essam	May 6, 2024
Yoast SEO <= 21.0 - Authenticated (Seo Manager+) Stored Cross-Site Scripting	Patched	CVE-2023-40680	5.5	Rafie Muhammad	November 24, 2023
Yoast SEO <= 20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	Patched		6.4	Leonidas Milosis	March 2, 2023
Yoast SEO <= 17.2 - Full Path Disclosure	Patched	CVE-2021-25118	5.3	Fariq Fadillah Gusti Insani (fariqfgi)	October 5, 2021
Yoast SEO <= 11.5 - Authenticated Stored Cross Site Scripting	Patched	CVE-2019-13478	6.4	Sybre Waaijer	July 9, 2019
Yoast SEO <= 9.1.0 - Race Condition to Remote Code Execution	Patched	CVE-2018-19370	6.6		November 6, 2018
Yoast SEO <= 5.7.1 - Reflected Cross-Site Scripting	Patched	CVE-2017-16842	6.1	Elias Dimopoulos	November 22, 2017
Yoast SEO <= 3.4.0 - Authenticated Stored Cross-Site Scripting	Patched	CVE-2021-24153	5.4	Hammad Shamsi	August 2, 2016
Yoast SEO <= 3.2.5 - Cross-Site Scripting	Patched		4.7		June 14, 2016
Yoast SEO <= 3.2.4 - Sensitive Data Exposure	Patched		5.3	Panagiotis Vagenas	May 6, 2016
Yoast SEO <= 2.0.1 - Reflected Cross-Site Scripting	Patched		6.1		April 20, 2015
Yoast SEO <= 1.7.3.3 - Blind SQL Injection	Patched	CVE-2015-2292	8.8	Ryan Dewhurst	March 11, 2015
Yoast SEO <= 1.7.3.3 - Cross-Site Request Forgery	Patched	CVE-2015-2293	7.5	Ryan Dewhurst	March 10, 2015
Yoast SEO <= 1.4.6 - Missing Authorization	Patched		6.5		August 1, 2014
Yoast SEO <= 2.1.1 - Cross Site Scripting via post_title parameter	Patched	CVE-2012-6692	6.1		October 31, 2012

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation