Skip to main content

Yoast SEO Premium EUVDEUVD-2026-37579

| CVE-2026-40722 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 Patchstack
5.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
vuln.today AI
5.5 MEDIUM

High privileges required to trigger missing authorization; scope change reflects plugin impact on broader WordPress site; no confidentiality impact identified.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 10:18 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Yoast SEO Premium: from n/a through 26.6.

AnalysisAI

Missing authorization controls in Yoast SEO Premium (WordPress plugin by Yoast BV) allow a network-accessible, highly privileged authenticated user to exploit incorrectly configured access control levels, yielding low-severity integrity and availability impact with a scope change that extends beyond the plugin itself into the broader WordPress environment. Affecting all versions through 26.6, this is a CWE-862 (Missing Authorization) flaw reported by Patchstack. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis.

Technical ContextAI

CWE-862 (Missing Authorization) indicates the application performs an action - typically a REST API endpoint, AJAX handler, or admin function - without validating whether the requesting user actually holds the required WordPress capability (e.g., manage_options or a plugin-specific cap). The CPE string cpe:2.3:a:yoast_bv:yoast_seo_premium:*:*:*:*:*:*:*:* covers all versions of the premium variant of the Yoast SEO WordPress plugin. The CVSS Scope:Changed (S:C) metric is significant: it signals the vulnerable component (the plugin) can affect resources or behaviors outside its own security domain - in a WordPress context this typically means unauthorized modification of site-wide SEO metadata, redirect rules, or settings that influence the broader WordPress install. The 'Authentication Bypass' tag appears to describe bypassing intra-role authorization controls (not full authentication bypass), consistent with PR:H in the CVSS vector, where a high-privileged role is still required but that role can perform actions it should be blocked from.

RemediationAI

The primary remediation is to update Yoast SEO Premium to a version beyond 26.6; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wordpress-seo-premium/vulnerability/wordpress-yoast-seo-premium-plugin-26-6-broken-access-control-vulnerability?_s_id=cve should be consulted for the confirmed fixed release version, as no exact patch version number is confirmed in the currently available data. As a compensating control where immediate upgrade is not feasible, administrators should audit and restrict which WordPress user accounts hold high-level roles (administrator, editor) to the minimum necessary set, reducing the pool of accounts that could trigger this flaw - note this does not eliminate the vulnerability but shrinks the attack surface. WordPress installations using role-management plugins can further enforce least-privilege role boundaries. Patch available per vendor advisory; exact fix version not independently confirmed from available data.

Share

EUVD-2026-37579 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy