Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
High privileges required to trigger missing authorization; scope change reflects plugin impact on broader WordPress site; no confidentiality impact identified.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Yoast SEO Premium: from n/a through 26.6.
AnalysisAI
Missing authorization controls in Yoast SEO Premium (WordPress plugin by Yoast BV) allow a network-accessible, highly privileged authenticated user to exploit incorrectly configured access control levels, yielding low-severity integrity and availability impact with a scope change that extends beyond the plugin itself into the broader WordPress environment. Affecting all versions through 26.6, this is a CWE-862 (Missing Authorization) flaw reported by Patchstack. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis.
Technical ContextAI
CWE-862 (Missing Authorization) indicates the application performs an action - typically a REST API endpoint, AJAX handler, or admin function - without validating whether the requesting user actually holds the required WordPress capability (e.g., manage_options or a plugin-specific cap). The CPE string cpe:2.3:a:yoast_bv:yoast_seo_premium:*:*:*:*:*:*:*:* covers all versions of the premium variant of the Yoast SEO WordPress plugin. The CVSS Scope:Changed (S:C) metric is significant: it signals the vulnerable component (the plugin) can affect resources or behaviors outside its own security domain - in a WordPress context this typically means unauthorized modification of site-wide SEO metadata, redirect rules, or settings that influence the broader WordPress install. The 'Authentication Bypass' tag appears to describe bypassing intra-role authorization controls (not full authentication bypass), consistent with PR:H in the CVSS vector, where a high-privileged role is still required but that role can perform actions it should be blocked from.
RemediationAI
The primary remediation is to update Yoast SEO Premium to a version beyond 26.6; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wordpress-seo-premium/vulnerability/wordpress-yoast-seo-premium-plugin-26-6-broken-access-control-vulnerability?_s_id=cve should be consulted for the confirmed fixed release version, as no exact patch version number is confirmed in the currently available data. As a compensating control where immediate upgrade is not feasible, administrators should audit and restrict which WordPress user accounts hold high-level roles (administrator, editor) to the minimum necessary set, reducing the pool of accounts that could trigger this flaw - note this does not eliminate the vulnerability but shrinks the attack surface. WordPress installations using role-management plugins can further enforce least-privilege role boundaries. Patch available per vendor advisory; exact fix version not independently confirmed from available data.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37579