Medium severity6.4NVD Advisory· Published Oct 3, 2025· Updated Apr 15, 2026

CVE-2025-11241

Description

The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. This vulnerability allows a user with Contributor access or higher to create a post containing a malicious JavaScript payload.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

developer.yoast.com/changelog/yoast-seo-premium/26.0/nvd
sec.stealthcopter.com/regexss/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/a6e3645d-ed1b-4c51-a463-c2691cb7168dnvd

News mentions

No linked articles in our index yet.

cvss	0.416
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000