Skip to main content

Sentence To SEO EUVDEUVD-2026-24684

| CVE-2026-4142 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-22 Wordfence GHSA-95vj-cwqx-rpmc
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 22, 2026 - 10:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 08:30 euvd
EUVD-2026-24684
Analysis Generated
Apr 22, 2026 - 08:30 vuln.today
CVE Published
Apr 22, 2026 - 07:45 nvd
MEDIUM 4.4

DescriptionCVE.org

The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (<?= ?>). An attacker can break out of the textarea element using a closing </textarea> tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page.

AnalysisAI

Stored cross-site scripting in the Sentence To SEO WordPress plugin (versions up to 1.0) allows authenticated administrators to inject arbitrary JavaScript into the plugin settings page via the 'Permanent keywords' field. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to break out of a textarea element and inject malicious scripts that execute when other users access the settings page. This requires administrator-level privileges and does not affect unauthenticated users.

Technical ContextAI

The Sentence To SEO plugin for WordPress processes user input through filter_input_array(INPUT_POST) using FILTER_DEFAULT, which performs no HTML sanitization. The unsanitized input is stored directly to the WordPress options table via update_option() without any sanitization. Upon retrieval, the stored value is output directly into an HTML textarea element using PHP short echo tags (<?= ?>) with no escaping function applied. This creates a classic stored XSS vulnerability (CWE-79) where an attacker can inject a closing </textarea> tag followed by arbitrary HTML and JavaScript to break containment and execute scripts in the DOM. The vulnerability affects the WordPress plugin architecture layer where administrative settings are managed.

RemediationAI

The primary remediation is to update the Sentence To SEO plugin to a patched version once released by the vendor. In the immediate term, administrators should disable the plugin if not actively required, or restrict administrative access to trusted users only via WordPress role and capability management. The underlying code requires two fixes: (1) apply WordPress sanitization functions such as sanitize_text_field() or wp_kses_post() to user input from filter_input_array() before storing via update_option(), and (2) use WordPress escaping functions such as esc_attr() or esc_html() when outputting the stored value in the textarea element instead of bare short echo tags. Administrators should monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/7d11b2db-d097-433f-923c-f49ef2951c0e and the WordPress plugin repository for patch availability.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-24684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy