Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Low-privilege account required (PR:L), admin must view the notice (UI:R), scope changes to admin session (S:C) with limited confidentiality and integrity impact and no availability effect.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.
AnalysisAI
Stored cross-site scripting in Yoast Duplicate Post (WordPress plugin, through version 4.6) allows an authenticated low-privilege user to plant a malicious payload in the Classic Editor's scheduled republish notice by crafting the cloned post's title or permalink. When an administrator subsequently views the notice in the Classic Editor, the injected script executes in their browser session, enabling session hijacking or unauthorized admin-level actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping this at medium priority despite the admin-targeting impact.
Technical ContextAI
Yoast Duplicate Post is a WordPress plugin (CPE: cpe:2.3:a:yoast:yoast_duplicate_post:*:*:*:*:*:*:*:*) that enables users to clone existing posts and optionally schedule a 'republish' of the copy. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): the plugin inserts user-controlled post title and permalink values into the Classic Editor's scheduled republish admin notice without proper HTML output encoding. Because WordPress's Classic Editor renders raw HTML in admin notices, any JavaScript embedded in those unescaped values will execute in the administrator's browser context. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) confirms network delivery, low-privilege attacker, and passive user interaction (admin views the notice), with impact scoped to downstream system integrity and limited confidentiality - consistent with a stored XSS escalating from contributor to admin-context execution.
RemediationAI
Update Yoast Duplicate Post to a version beyond 4.6 by visiting the WordPress plugin page at https://wordpress.org/plugins/duplicate-post/ - no exact patched version number is confirmed in the available data, so consult the changelog for the first release after 4.6 that addresses this issue. Until patching is possible, administrators should restrict the Duplicate Post capability to only fully trusted roles via the plugin's settings (Yoast Duplicate Post allows per-role capability control), removing contributor and author access to the 'schedule republish' feature; this eliminates the primary attack vector but reduces workflow capability for lower-privileged editors. Alternatively, disabling the Classic Editor plugin in favor of the Block Editor removes the vulnerable notice rendering path entirely, though this may disrupt existing editorial workflows. Administrators should also audit pending scheduled republish entries for unexpected or malformed post titles that could indicate a pre-placed payload.
More in Yoast Duplicate Post
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36141
GHSA-c45g-9264-93f4