Skip to main content

Yoast Duplicate Post

2 CVEs product

Monthly

CVE-2026-53740 MEDIUM This Month

Stored cross-site scripting in Yoast Duplicate Post (WordPress plugin, through version 4.6) allows an authenticated low-privilege user to plant a malicious payload in the Classic Editor's scheduled republish notice by crafting the cloned post's title or permalink. When an administrator subsequently views the notice in the Classic Editor, the injected script executes in their browser session, enabling session hijacking or unauthorized admin-level actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping this at medium priority despite the admin-targeting impact.

XSS Yoast Duplicate Post
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53739 MEDIUM This Month

Cross-site request forgery in the Yoast Duplicate Post WordPress plugin through version 4.6 allows any attacker to silently suppress admin notices across a WordPress installation. The `duplicate_post_dismiss_notice` handler performs no nonce validation and no capability check, meaning any authenticated WordPress user - regardless of role - can be tricked into triggering the vulnerable endpoint. A successful attack sets the `duplicate_post_show_notice` site option network-wide, potentially hiding important administrative alerts from site operators. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

CSRF Yoast Duplicate Post
NVD
CVSS 4.0
5.1
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in Yoast Duplicate Post (WordPress plugin, through version 4.6) allows an authenticated low-privilege user to plant a malicious payload in the Classic Editor's scheduled republish notice by crafting the cloned post's title or permalink. When an administrator subsequently views the notice in the Classic Editor, the injected script executes in their browser session, enabling session hijacking or unauthorized admin-level actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping this at medium priority despite the admin-targeting impact.

XSS Yoast Duplicate Post
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Cross-site request forgery in the Yoast Duplicate Post WordPress plugin through version 4.6 allows any attacker to silently suppress admin notices across a WordPress installation. The `duplicate_post_dismiss_notice` handler performs no nonce validation and no capability check, meaning any authenticated WordPress user - regardless of role - can be tricked into triggering the vulnerable endpoint. A successful attack sets the `duplicate_post_show_notice` site option network-wide, potentially hiding important administrative alerts from site operators. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.

CSRF Yoast Duplicate Post
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy