Skip to main content

Yoast SEO Breadcrumb Shortcode CVE-2026-57764

| EUVDEUVD-2026-41319 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-7xv8-5jwr-q8vr
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Contributor authentication required (PR:L); scope changes to victim's browser context (S:C); no credible availability impact from XSS alone, so A:N.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:28 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.

AnalysisAI

Stored Cross-Site Scripting in the Surbma Yoast SEO Breadcrumb Shortcode WordPress plugin (versions <= 1.2) allows contributor-level authenticated users to inject malicious JavaScript via the breadcrumb shortcode, which executes in the browser context of any victim who views the affected content - most critically a site administrator. The scope change (S:C) in the CVSS vector confirms the script escapes the plugin's own context and can hijack privileged sessions or perform unauthorized admin actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress Contributor account
Delivery
Author post with malicious shortcode payload
Exploit
Publish or submit post for review
Execution
Admin/editor views post
Persist
XSS payload executes in victim browser
Impact
Steal admin session or escalate privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid WordPress Contributor-level account (or higher) on the targeted site - this is confirmed by the PR:L CVSS metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.5 (Medium) is supported by the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or compromised a Contributor account on the target WordPress site creates or edits a post that embeds a malicious JavaScript payload within a breadcrumb shortcode attribute. When a site administrator previews or publishes that post, the unescaped script executes in the admin's browser, potentially stealing the admin's session cookie or silently creating a new administrator account for persistent access.
Remediation Upstream fix availability is not independently confirmed from the provided data - no exact patched version number is included in the intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy