CVE-2024-4984 Overview
CVE-2024-4984 is a Stored Cross-Site Scripting (XSS) vulnerability in the Yoast SEO plugin for WordPress. The flaw affects all versions up to and including 22.6 and resides in the handling of the display_name author meta field. Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript. The injected payload executes in the browser of any user who visits the affected page. The issue is tracked under CWE-79 and was patched in Yoast SEO version 22.7.
Critical Impact
Authenticated contributors can inject persistent JavaScript that executes in administrator and visitor browsers, enabling session theft, account takeover, and arbitrary action execution within the WordPress admin context.
Affected Products
- Yoast SEO plugin for WordPress, all versions up to and including 22.6
- WordPress sites where contributor-level (or higher) registration is enabled
- Fixed in Yoast SEO 22.7
Discovery Timeline
- 2024-05-16 - CVE-2024-4984 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-4984
Vulnerability Analysis
The vulnerability is a Stored XSS issue in the Yoast SEO plugin. Yoast SEO generates structured metadata for social platforms, including Slack unfurl previews built by the enhanced-data-presenter.php component. The plugin reads the display_name author meta value and embeds it into rendered page output without applying adequate sanitization or escaping. An authenticated user with contributor privileges can update their profile display_name to contain HTML or JavaScript markup. When a page authored by that user is rendered, the malicious payload is served as part of the document.
Because the payload is stored server-side in the WordPress user metadata table, the attack persists across sessions. Any visitor — including authenticated administrators — triggers script execution simply by loading the affected page. This enables session hijacking, forced administrative actions through the WordPress REST API, and pivoting to higher-privilege accounts.
Root Cause
The root cause is missing output escaping in the Slack enhanced-data presenter logic that handled author display names. The plugin treated the display_name field as trusted text rather than untrusted user-controlled input. Patch Pull Request #21334 and changeset 3079234 introduced proper escaping in enhanced-data-presenter.php.
Attack Vector
The attack vector is network-based and requires contributor-level authentication. An attacker registers or compromises a contributor account, then updates the profile display_name to embed a JavaScript payload. The attacker submits or owns a post that surfaces the manipulated author metadata. When an administrator previews or moderates the post, the payload executes with the administrator's WordPress session, achieving a scope change from contributor to administrator-level impact. See the Wordfence Vulnerability Report for additional technical context.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in prose; refer to the upstream patch for the exact sink and remediation.
Detection Methods for CVE-2024-4984
Indicators of Compromise
- WordPress user profiles where the display_name field contains HTML tags such as <script>, <img onerror=...>, or <svg onload=...>.
- Unexpected JavaScript executing in administrative sessions when viewing posts authored by contributor accounts.
- New or modified contributor accounts created shortly before suspicious admin-area activity.
- Outbound HTTP requests from administrator browsers to attacker-controlled domains immediately after viewing content pages.
Detection Strategies
- Query the wp_users table for display_name values containing angle brackets, javascript: schemes, or event-handler attributes.
- Inspect rendered page source for the Yoast Slack meta tags and validate that author names are HTML-entity encoded.
- Review web server access logs for contributor-account profile updates followed by administrator page views.
- Use a vulnerability scanner with WordPress plugin signatures to identify Yoast SEO instances at version 22.6 or earlier.
Monitoring Recommendations
- Forward WordPress audit logs and web server logs to a centralized analytics platform for correlation between profile edits and admin sessions.
- Alert on creation of new contributor or author accounts followed by rapid profile metadata changes.
- Monitor administrator browser sessions for anomalous XHR or fetch requests targeting /wp-json/wp/v2/users or other privileged endpoints.
- Track plugin version inventories across managed WordPress fleets and flag any host running Yoast SEO below 22.7.
How to Mitigate CVE-2024-4984
Immediate Actions Required
- Upgrade the Yoast SEO plugin to version 22.7 or later on every WordPress instance.
- Audit all existing user profiles and sanitize any display_name values containing HTML or scripting syntax.
- Review recent contributor and author registrations for accounts created by unknown parties and disable any that are suspicious.
- Rotate administrator session cookies and credentials if injected payloads are discovered in stored metadata.
Patch Information
Yoast released the fix in Yoast SEO 22.7. The remediation adds proper escaping in src/presenters/slack/enhanced-data-presenter.php so author display names are HTML-encoded before output. See the Yoast SEO 22.7 Changelog and the upstream GitHub Pull Request #21334 for full patch details.
Workarounds
- Restrict contributor and author registration on sites that do not require open authorship.
- Apply least-privilege role assignments so untrusted users do not receive contributor capabilities.
- Deploy a web application firewall rule that blocks HTML or JavaScript metacharacters in user profile update requests to /wp-admin/profile.php.
- Enforce a strict Content Security Policy that disallows inline scripts to limit the impact of stored XSS payloads.
# Configuration example: update Yoast SEO via WP-CLI
wp plugin update wordpress-seo --version=22.7
wp plugin list --name=wordpress-seo --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
