CVE-2025-11241: 
WordPress vulnerability analysis and mitigation

The Yoast SEO Premium plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-11241) affecting versions 25.7 through 25.9. The vulnerability was discovered on October 2, 2025, and received a CVSS v3.1 score of 6.4 (Medium severity). The flaw exists due to a flawed regex used to remove attributes in post content, which can be exploited by users with Contributor-level access or higher (NVD, Security Online).

The vulnerability stems from an improperly implemented regular expression used for attribute removal in post content. This flawed regex can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. The issue specifically affects the plugin's AI feature and allows authenticated users with edit_posts capabilities to execute stored cross-site scripting attacks. The vulnerability has been assigned CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) (NVD, Yoast Changelog).

The vulnerability allows authenticated users with Contributor access or higher to create posts containing malicious JavaScript payloads. When these posts are viewed by other users, particularly administrators, the injected scripts execute in their browsers. This could potentially lead to cookie theft, privilege escalation, or the delivery of secondary attacks through the injected scripts (Security Online).

The vulnerability has been patched in Yoast SEO Premium version 26.0. The update includes security fixes that properly validate and sanitize user input when the AI feature is enabled. Website administrators are strongly advised to update to version 26.0 or later to protect against this vulnerability (Yoast Changelog).