CVE-2024-4984

The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 22.6. The vulnerability stems from insufficient input sanitization and output escaping of the display_name author meta field. When an author's display name is rendered in Twitter card meta tags (e.g., twitter:data1), unescaped quotes or special characters can break the tag syntax and allow injection of arbitrary HTML/JavaScript.

An authenticated attacker with contributor-level access or above can exploit this by setting a malicious display name containing script payloads. The injected script executes whenever a user views a page authored by that user (e.g., a post or page), as the display name is output without proper encoding in the affected meta tags. No additional user interaction beyond visiting the page is required for the payload to trigger.

Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The vulnerability is rated Medium severity with a CVSS score of 6.4.

The issue was addressed in Yoast SEO version 22.7, released on May 14, 2024. The fix properly escapes the display_name value using HTML entities (e.g., converting " to ") in the Enhanced Slack Sharing presenter, as detailed in the related pull request [1][2]. Users are strongly advised to update to version 22.7 or later to mitigate the risk.