{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4142", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T15:37:12.112Z", "datePublished": "2026-04-22T07:45:38.230Z", "dateUpdated": "2026-04-22T07:45:38.230Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:38.230Z"}, "affected": [{"vendor": "eazyserver", "product": "Sentence To SEO (keywords, description and tags)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (<?= ?>). An attacker can break out of the textarea element using a closing </textarea> tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page."}], "title": "Sentence To SEO (keywords, description and tags) <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Permanent keywords' Field", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d11b2db-d097-433f-923c-f49ef2951c0e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L81"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L81"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L262"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L262"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L87"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L87"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L75"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-04-21T19:05:43.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (<?= ?>). An attacker can break out of the textarea element using a closing </textarea> tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page."}], "id": "CVE-2026-4142", "lastModified": "2026-04-22T09:16:25.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:25.000", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L262"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L81"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L87"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L262"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L81"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L87"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d11b2db-d097-433f-923c-f49ef2951c0e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:37:17.728004+00:00", "value": {"mitigation_remediation": ["Upgrade the Sentence To SEO plugin to a version that fixes the stored XSS issue or, if no newer version exists, uninstall the plugin.", "For sites that must keep the plugin, replace the non\u2011escaped output with proper escaping such as esc_textarea() or htmlspecialchars() and sanitize the 'Permanent keywords' input before storage.", "Deploy a Web Application Firewall rule or Content Security Policy header that blocks the execution of inline scripts on the admin settings page to mitigate exploitation until a code fix is applied."], "summary": {"action": "Patch immediately", "impact": "Stored Cross\u2011Site Scripting with administrative privileges"}, "threat_synthesis": {"affected_systems": "All released versions of the eazyserver Sentence To SEO plugin up to version 1.0 are affected. The plugin is a WordPress add\u2011on that manages keywords, descriptions, and tags. Any WordPress site that has installed this plugin and has an administrator or higher level account is vulnerable. No later versions are mentioned, so sites may still be using the legacy 1.0 build.", "description_and_impact": "The vulnerability is a stored XSS flaw that allows an attacker with administrator rights to inject arbitrary HTML or JavaScript into the plugin\u2019s settings page. The flaw originates from the 'Permanent keywords' input field, which accepts raw user data, stores it unsanitized, and outputs it back in a textarea without escaping. When script payloads are entered, a closing </textarea> tag can terminate the element and the script executes in the context of any visitor who views the settings page. The weakness is CWE\u201179.", "risk_and_exploitability": "The CVSS score for this issue is 4.4, indicating a moderate risk. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known large\u2011scale exploitation yet. The attack requires a web\u2011based interaction with the plugin\u2019s settings page and holds the precondition of administrator authentication. If an attacker can log into the site as an admin, they can immediately create malicious content that will affect all subsequent visitors to the settings page."}}}}, "created": "2026-04-22T09:45:13.083062+00:00", "updated": "2026-04-22T09:45:13.083072+00:00", "vendors": []}