Description Preview
Yoast SEO for WordPress versions up to and including 22.6 is vulnerable to stored XSS through the display_name value in author metadata. The root cause is insufficient input sanitization and output escaping for the author meta, which allows an authenticated attacker with contributor-level access or higher to inject arbitrary JavaScript into pages. When other users visit a page that includes the injected content, the script executes in their browser, creating potential for cookie theft, session hijacking, or defacement. This vulnerability is tracked as CVE-2024-4984, with a CVSS v3.1 base score of 6.4 (Medium). The issue was discovered in late April 2024 and disclosed in mid-May 2024. A patch addressing this flaw was released in Yoast SEO 22.7. References to the related GitHub pull request, WordPress Trac changeset, and Yoast changelog confirm the fix and its deployment.
Overview
This CVE describes a stored XSS vulnerability in Yoast SEO for WordPress (≤ 22.6) where the author display_name is not properly sanitized or escaped, enabling an authenticated attacker with contributor privileges to inject script into pages that execute when viewed by users. The vulnerability affects all versions up to 22.6 and has a medium severity (CVSS v3.1 base score 6.4). The issue was disclosed by Wordfence and subsequently patched in the 22.7 release, with references documenting the fix and associated development activity.
Remediation
- Update Yoast SEO to version 22.7 or newer (install the official patch that fixes the input sanitization and output escaping for author metadata).
- Ensure WordPress core and all plugins/themes are up to date to minimize exposure to related issues.
- If an immediate update is not possible, restrict contributor-level access or limit permissions that allow editing author display_name until a patch can be applied.
- Validate and sanitize author-related fields on intake and implement additional server-side checks where feasible.
- After applying the patch, verify the fix in a staging environment by attempting to inject script via author display_name and confirming no script execution on loaded pages.
- Enable or strengthen Web Application Firewall (WAF) rules and monitor for suspicious activity related to author metadata changes.
References
- Wordfence Threat Intelligence - Yoast SEO vulnerability CVE-2024-4984 (id/59bcd246-ca2f-4336-9a6e-89afe873ed25)
- Yoast GitHub - Pull Request #21334
- WordPress Trac - Changeset 3079234 (wordpress-seo/trunk/src/presenters/slack/enhanced-data-presenter.php)
- Yoast Developer Changelog - Yoast SEO 22.7
- CISA ADP Vulnrichment - CVE-2024-4984
- CVE Program Container - related references
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Arts, Entertainment & RecreationArts, Entertainment & Recreation: Low
- Management of Companies & EnterprisesManagement of Companies & Enterprises: Low
- Public AdministrationPublic Administration: Low
- Finance and InsuranceFinance and Insurance: Low
- Health Care & Social AssistanceHealth Care & Social Assistance: Low
- ManufacturingManufacturing: Low
- Other Services (except Public Administration)Other Services (except Public Administration): Low
- Transportation & WarehousingTransportation & Warehousing: Low
- Accommodation & Food ServicesAccommodation & Food Services: Low
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services: Low
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting: Low
- ConstructionConstruction: Low
- Educational ServicesEducational Services: Low
- InformationInformation: Low
- MiningMining: Low
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services: Low
- Real Estate Rental & LeasingReal Estate Rental & Leasing: Low
- Retail TradeRetail Trade: Low
- UtilitiesUtilities: Low
- Wholesale TradeWholesale Trade: Low
