CVE-2026-57764 MEDIUM

CVE-2026-57764: WordPress Surbma | Yoast SEO Breadcrumb Shortcode plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability

Vendor Surbma
Product Surbma | Yoast SEO Breadcrumb Shortcode
Weakness CWE-79 · XSS
Published July 2, 2026
Last update July 2, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.

Explanation of Vulnerability in Simple Terms

02Summary

The Surbma Yoast SEO Breadcrumb Shortcode plugin through version 1.2 contains a cross-site scripting (XSS) vulnerability. An authenticated user with low privileges can inject malicious scripts into breadcrumb output by crafting a malicious link or page title. When other users view the affected page, the injected script executes in their browser, potentially allowing the attacker to steal session tokens or perform actions on their behalf.

What an attacker can do

03Attacker Capabilities

Inject and execute malicious JavaScript in other users' browsers via breadcrumb content.

Potential impact on your site

04Site Impact

Authenticated users can inject scripts that execute for other site visitors, risking session hijacking or unauthorized actions.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account and a victim must view a page containing the malicious breadcrumb.

Key dates

06Disclosure timeline

July 2, 2026 CVE published

Related vulnerabilities

08Related CVE