CVE-2026-1293
Yoast SEO <= 26.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'yoast-schema' Block AttributeThe Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 2,502,255 live websites that are affected by CVE-2026-1293.
Affected Software
| Product |  Yoast SEO |
| Category | Search Engine Optimization |
| Vulnerable Domains | 2,502,255 live websites (61% of Yoast SEO install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 391 versions ( 98% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Feb 6, 2026
- Updated - Apr 8, 2026
Credits
- suyoung kim (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-1293 United States | 740,339 websites |
 Germany | 246,079 websites |
 France | 180,133 websites |
 GB | 123,473 websites |
 Italy | 123,427 websites |
 Netherlands | 103,400 websites |
 Spain | 78,841 websites |
 Russia | 75,657 websites |
 Poland | 69,706 websites |
 Canada | 52,998 websites |
Website Distribution by TLD
Number of websites using CVE-2026-1293| .com | 1,031,487 websites |
| .de | 145,796 websites |
| .org | 95,504 websites |
| .nl | 95,397 websites |
| .it | 91,374 websites |
| .co.uk | 83,581 websites |
| .fr | 83,022 websites |
| .ru | 64,091 websites |
| .net | 59,901 websites |
| .pl | 53,774 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-1293
Top websites that are affected by CVE-2026-1293. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************.org | United States | *** | |
| ****************.com | United States | *** | |
| ********.com | United States | *** | |
| *******.com | United States | *** | |
| *********.com | United States | *** | |
| *********.com | United States | *** | |
| ***.********.com | United States | *** | |
| **********.com | United States | *** | |
| *********.com | United States | *** | |
| ******.com | United States | *** |
FAQ
CVE-2026-1293 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Yoast SEO
A total of 2,502,255 websites have been identified as vulnerable to CVE-2026-1293, based on global website indexing conducted by WebTechSurvey.
The Yoast SEO is affected by the CVE-2026-1293 vulnerability.
Yoast SEO versions up to and including 26.8 are vulnerable to CVE-2026-1293.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2e7c2d-ed2f-439b-9cee-f2e5d46121b6?source=cve
- https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/presenters/schema-presenter.php#L49
- https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/inc/class-wpseo-utils.php#L915
- https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/generators/schema-generator.php#L188