CVE-2026-3604: WP SEO Structured Data Schema XSS Flaw

CVE-2026-3604 Overview

CVE-2026-3604 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP SEO Structured Data Schema plugin for WordPress. The flaw affects all versions up to and including 2.8.1. It exists in the handling of the _kcseo_ative_tab parameter, where the plugin fails to sanitize input and escape output. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript that executes when other users visit affected pages. The issue is classified under CWE-79, Improper Neutralization of Input During Web Page Generation.

Critical Impact

Authenticated contributors can inject persistent JavaScript that executes in the browser of any user viewing the affected page, enabling session theft, content manipulation, or redirection to attacker-controlled resources.

Affected Products

• WP SEO Structured Data Schema plugin for WordPress — all versions through 2.8.1
• Vulnerable file: lib/classes/KcSeoMetaData.php
• WordPress installations exposing Contributor or higher accounts to untrusted users

Discovery Timeline

• 2026-05-12 - CVE-2026-3604 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-3604

Vulnerability Analysis

The vulnerability resides in the WP SEO Structured Data Schema plugin's metadata handling logic within KcSeoMetaData.php. The plugin accepts the _kcseo_ative_tab parameter from authenticated users and stores it without applying proper sanitization. When the stored value is later rendered in the WordPress admin or front-end output, the plugin fails to escape it, allowing browser-interpreted markup and script to execute. The attack requires Contributor-level privileges, which limits the attacker pool but does not eliminate the threat on multi-author sites. Because the payload is stored, it persists across sessions and triggers whenever a victim loads the affected page.

Root Cause

The root cause is insufficient input sanitization on write and missing output escaping on render. The plugin trusts the _kcseo_ative_tab value supplied through post metadata operations. Functions referenced at lines 133 and 177 of KcSeoMetaData.php handle this parameter without invoking WordPress sanitization helpers such as sanitize_text_field() or escaping functions such as esc_attr() or esc_html() at output. This combination produces a classic stored XSS condition.

Attack Vector

An attacker authenticates to a vulnerable WordPress site with a Contributor account or higher. The attacker submits a post or edits metadata in a way that places a JavaScript payload into the _kcseo_ative_tab field. WordPress stores the payload in wp_postmeta. When any user — including administrators reviewing submissions — loads a page that renders the stored value, the script executes in that user's session context. Successful execution can hijack sessions, perform CSRF actions against the admin interface, or pivot to administrator account takeover.

No public proof-of-concept code is currently available. See the Wordfence Vulnerability Report and the plugin source on WordPress.org for technical details.

Detection Methods for CVE-2026-3604

Indicators of Compromise

• Unexpected <script>, onerror=, onload=, or javascript: content stored in the wp_postmeta table under the _kcseo_ative_tab meta key.
• Outbound browser requests from administrator sessions to unknown domains shortly after viewing posts authored by Contributors.
• Newly created administrator accounts or modified user roles following Contributor activity.
• Browser console errors or unexpected DOM mutations on pages managed by the plugin.

Detection Strategies

• Query the WordPress database for suspicious values: SELECT * FROM wp_postmeta WHERE meta_key = '_kcseo_ative_tab' AND meta_value REGEXP '<|javascript:|on[a-z]+=';.
• Review plugin source at lib/classes/KcSeoMetaData.php lines 133 and 177 to confirm vulnerable behavior in the installed version.
• Enable Web Application Firewall (WAF) rules that inspect POST bodies for script payloads targeting WordPress meta fields.
• Audit posts authored by Contributor accounts for anomalous HTML or script content.

Monitoring Recommendations

• Log and alert on changes to wp_postmeta rows containing HTML or script tokens.
• Monitor administrator browser sessions for anomalous XHR or fetch activity originating from post preview or edit screens.
• Track Contributor account creation rates and post submission patterns for abuse indicators.

How to Mitigate CVE-2026-3604

Immediate Actions Required

• Identify all WordPress sites running the WP SEO Structured Data Schema plugin at version 2.8.1 or earlier.
• Deactivate the plugin until a patched version is installed if Contributor or higher accounts are held by untrusted users.
• Audit existing posts and wp_postmeta entries for malicious payloads in the _kcseo_ative_tab field and remove them.
• Rotate administrator credentials and invalidate active sessions on any site suspected of exploitation.

Patch Information

At the time of publication, the NVD entry references plugin code through version 2.8.1 and the trunk branch. Administrators should monitor the Wordfence advisory and the WordPress plugin repository for an updated release that applies proper sanitization and escaping to the _kcseo_ative_tab parameter.

Workarounds

• Restrict Contributor and Author role assignment to trusted users only.
• Deploy a WordPress-aware WAF with rules blocking script injection in post meta submissions.
• Apply the principle of least privilege and disable the plugin on sites where structured data features are not required.
• Add a custom mu-plugin filter that sanitizes _kcseo_ative_tab via sanitize_text_field() before storage as a temporary measure.

# Configuration example: locate vulnerable installations via WP-CLI
wp plugin list --field=name,version | grep wp-seo-structured-data-schema
wp db query "SELECT post_id, meta_value FROM wp_postmeta WHERE meta_key='_kcseo_ative_tab' AND meta_value REGEXP '<|javascript:|on[a-z]+=';"
wp plugin deactivate wp-seo-structured-data-schema