CVE-2026-24591

The Turn Yoast SEO FAQ Block to Accordion plugin for WordPress versions 1.0.6 and below suffers from a stored cross-site scripting (XSS) vulnerability. The plugin fails to properly neutralize user input during web page generation, allowing unvalidated or unsanitized data to be stored and later executed in the browser of unsuspecting visitors [1].

Exploitation requires a user with at least contributor-level access to create or edit posts containing the FAQ block. By injecting malicious JavaScript into the block's content, an attacker can cause the script to be stored on the server and served to any user who views the affected page. No other privileged action is needed from the victim besides visiting the page [1].

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, forced redirects to malicious sites, or defacement of the website. The stored nature of the attack makes it particularly dangerous as it can affect multiple visitors without further interaction [1].

Users should immediately update the plugin to version 1.0.7 or later, which contains a fix from the vendor. If updating is not possible, consider disabling the plugin or implementing a web application firewall to block malicious payloads. Given the use of such vulnerabilities in mass-exploit campaigns, prompt action is recommended [1].