CVE-2026-53740
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
The Yoast Duplicate Post plugin up to version 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.
Risk Assessment
This vulnerability may lead to the execution of malicious scripts in the context of an administrator, posing a risk of system takeover or data theft.
Recommendation
It is recommended to update the Yoast Duplicate Post plugin to the latest version to eliminate this vulnerability. Additionally, monitoring and restricting access to editor functions for users with lower privileges is advisable.
Original NVD description (English source)
Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.

