Fraud Blocker Prevent Yoast SEO XSS Attacks with WP-Firewall Security

Security Solution Prevents Yoast SEO XSS Attacks


WP-Firewall’s Advanced Security Measures Against Yoast SEO XSS Vulnerability

In the ever-evolving landscape of cybersecurity, WordPress websites are frequently targeted by malicious actors exploiting vulnerabilities in popular plugins. A recent case that has garnered significant attention is the Yoast SEO XSS vulnerability. At WP-Firewall, we understand the critical importance of safeguarding your WordPress site against such threats. In this blog, we will delve into the specifics of this vulnerability, its potential impact, and how WP-Firewall’s advanced security measures can protect your website.

What is the Yoast SEO Plugin Vulnerability?

Plugin Information

  • Vulnerable Plugin Version: v22.5 and earlier
  • Patch Release Version: v22.6 and newer

Yoast SEO is a widely-used search engine optimization plugin in the WordPress ecosystem, boasting over 10 million active users. It offers a plethora of features designed to enhance both the content and technical SEO aspects of a website, including SEO analysis, content insights, and XML sitemap generation.

About the Vulnerability

The Yoast SEO plugin for WordPress has a Reflected Cross-Site Scripting (XSS) vulnerability in all versions up to and including 22.5. This flaw arises because the plugin fails to adequately sanitize input and escape output in URLs. Consequently, unauthenticated attackers can inject arbitrary web scripts into pages, which can execute if a user is deceived into clicking a misleading link.

The vulnerability is linked to the `add_premium_link()` function within the `WPSEO_Admin_Bar_Menu` class, which inserts a premium promotion link into the WordPress admin bar.

The issue lies in the `build_shortlink()` function of the `WPSEO_Shortlinker` class, which does not implement proper escaping.

This function calls the `build()` function from the `Short_Link_Helper` class,

appending various values to `$url` collected via the `collect_additional_shortlink_data()` function.

The screen data is assigned based on the page GET input value, allowing attackers to inject malicious payloads through the page parameter.

Who Discovered This Vulnerability?

The Yoast SEO XSS vulnerability was discovered by independent WordPress security researcher Bassem Essam, who reported it to Wordfence’s Bug Bounty Program. Wordfence then informed Team Yoast, the plugin developer, on April 26, 2024, leading to the release of a patch on April 30, 2024.


Here is the update new patch relateSed from Yoast on 30 Apr,2024:

Yoast/wordpress-seo latest version :22.8-RC4(2024-05-23 23:09:05)

Release date: 2024-04-30

Yoast SEO 22.6 is out today! This release brings many performance and quality-of-life fixes to improve your favorite SEO plugin. Plus, we’re asking you to update your PHP versions. Find out what’s new in this post!


  • Adds a helpful error message in the Yoast sidebar/metabox in case of plugin or theme conflicts. Now when an unknown error occurs, the error is caught and an error message is shown. Before, the error would lead to a blank sidebar/metabox, or to an entire blank page.
  • Improves performance when it comes to storing user metadata, most visible at the point of author sitemap creation.
  • Improves the keyphrase detection in SEO title for Arabic and Hebrew. For example, when the keyphrase is "باندا حمراء" and the SEO title starts with "الباندا الحمراء", we now recognize this as an exact match and give a good result for the keyphrase in SEO title assessment.


  • Fixes a bug where a PHP notice in the settings would influence the styling of some of our inputs.
  • Fixes a bug where the inserted variables in the search appearance would not show correctly when using Elementor.
  • Fixes a bug where there would be a fatal error when deleting post meta in PHP 8.1 and higher. Props to @izzygld.
  • Fixes a security issue where URLs were not correctly escaped in the Yoast admin bar menu.

Introduces a notice on the WordPress dashboard and the Yoast SEO dashboard to let users know we are dropping support for PHP < 7.4 starting November 1st, 2024.


How is Your WordPress Site at Risk?

If you are using Yoast SEO plugin version 22.5 or earlier, your WordPress site is vulnerable to several potential threats:

  • Phishing or Clickjacking Attacks: Malicious scripts can be injected to redirect visitors to unapproved websites.
  • Larger Attacks: Compromised websites can be used as headquarters for larger attacks, leading to blacklisting by search engines like Google.
  • Backdoors: Hackers can install backdoors to re-infect previously cleaned websites.
  • Unauthorized Admin Accounts: Attackers can create unauthorized admin accounts, gaining complete control over the affected websites.
  • Data Theft: Sensitive data like user credentials and personal information can be accessed and stolen.

These vulnerabilities can severely damage your website’s reputation, reduce visitor trust, and cause significant drops in SEO rankings if not addressed promptly.

How to Protect Your Site?

To effectively safeguard your WordPress site from potential security risks such as the Yoast SEO XSS vulnerability, it’s essential to take proactive measures. Here’s how WP-Firewall can help:

1. Conduct an Initial Scan

Install WP-Firewall to quickly eliminate any existing malware and strengthen your site’s defenses using our advanced security features. Conducting this initial scan ensures your site is free from threats as you begin to fortify it.

2. Regularly Update Plugins and Themes

Outdated plugins and themes often contain vulnerabilities that hackers can exploit. WP-Firewall’s dashboard alerts you to outdated components, assisting you in keeping your software up-to-date and secure.

3. Update WordPress Salts and Security Keys

Updating WordPress salts and security keys will end all current sessions and log out users, significantly boosting your site’s security. WP-Firewall streamlines this process as part of its thorough cleanup routine.

4. Check User Roles and Permissions

Periodically examine the roles and permissions given to your site’s users. If any irregularities are found, quickly adjust or remove privileges to help prevent unauthorized access.

5. Change Login Details

Immediately update your administrator password and ensure all user sessions are ended. Encourage other users to change their passwords as well and to select strong, new passwords for enhanced security.

6. Enhance Login Security

Implement two-factor authentication (2FA) and establish limits on login attempts. These steps provide an extra layer of security, making it more difficult for unauthorized access to occur.

7. Continuous Monitoring

WP-Firewall continuously monitors your site for any suspicious activities. It constantly scans for unusual activities and quickly notifies you of potential threats, ensuring you can react swiftly to secure your site.

How Does WP-Firewall Secure Your Site?

In addition to the aforementioned measures, WP-Firewall enhances the protection of your WordPress site with a suite of crucial features:

1. Quick Malware Detection and Cleanup

WP-Firewall conducts daily scans to proactively search for malware across your site. If malware is detected, our powerful removal tool quickly eliminates the threat, helping to restore and maintain the health of your site.

2. Vulnerability Notifications

WP-Firewall keeps a vigilant watch over your plugins and themes for any signs of vulnerabilities. Upon detecting any issues, it promptly notifies you, allowing you to swiftly strengthen your site’s defenses.

3. Bot Defense

Aware of the negative impact bots can have on site performance, WP-Firewall implements strong measures to fend off these automated threats, ensuring your site runs efficiently.

4. Efficient Backups

WP-Firewall’s automated, offsite backup solution prepares you for any contingency. Should any issues surface, these backups facilitate a quick and effective restoration.


The Yoast SEO XSS vulnerability underscores the critical importance of robust security measures for WordPress websites. At WP-Firewall, we are committed to providing comprehensive protection against such threats. By leveraging our advanced security features, you can ensure your website remains secure, efficient, and trustworthy.

Protect your site today with WP-Firewall and experience the peace of mind that comes with knowing your WordPress site is safeguarded against the latest vulnerabilities.

You May Also Like:

UserPro Plugin Users Alert Update to Version 5.1.9 for Security Fix

Understanding WordPress Privilege Escalation: A Comprehensive Guide

Uncovering Hidden Dangers in Unpatched WordPress SSRF Vulnerability Research

How Can We Help You?

If you’re worried that your website has been hacked, WP-Firewall can help you quickly fix the issue and secure your site to prevent future hacks.

  • My site is hacked – Help me clean it: Clean your site with WP-Firewall’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.
  • Secure my WordPress Site from hackers: WP-Firewall’s 7-Layer Security Offers Complete Protection for Your Website. Thousands of Websites Trust WP-Firewall for Total Defense from Attacks.

WP-Firewall Key Features:

  • Malware Scanner
  • Malware Removal
  • WordPress Firewall
  • Bot Protection
  • Vulnerability Scanner
  • Emergency Cleanup

By taking proactive steps and utilizing WP-Firewall’s comprehensive security solutions, you can protect your WordPress site from vulnerabilities like the Yoast SEO XSS flaw and ensure a secure online presence.

wordpress security update banner

Receive WP Security Weekly for Free 👋
Signup Now

Sign up to receive WordPress Security Update in your inbox, every week.

We don’t spam! Read our privacy policy for more info.