What the vulnerability does
01Description
Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces.
Explanation of Vulnerability in Simple Terms
02Summary
Duplicate Post versions 0.3 through 3.2.3 contain a vulnerability affecting authenticated administrators. An admin user who is tricked into visiting a malicious page can trigger unintended actions within the plugin. The vulnerability requires both high-level privileges and user interaction to exploit. Update to version 3.2.4 or later to resolve this issue.
What an attacker can do
03Attacker Capabilities
Trick an admin into visiting a malicious page to perform unintended actions in the plugin.
Potential impact on your site
04Site Impact
An admin could unknowingly perform unintended actions if socially engineered to visit a malicious link.
Conditions required to exploit
05Prerequisites
Admin-level access to WordPress and user interaction (victim must visit attacker's page).
Key dates
06Disclosure timeline
February 11, 2026
CVE published
May 14, 2026
Record updated