CVE-2026-24591 is a stored Cross-site Scripting (XSS) vulnerability identified in the 'Turn Yoast SEO FAQ Block to Accordion' WordPress plugin by yasir129, affecting all versions up to and including 1.0.6. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within the FAQ schema block that converts Yoast SEO FAQ blocks into accordion-style elements. This flaw allows an attacker to inject malicious JavaScript code that is stored persistently on the affected website and executed in the browsers of users who visit the compromised pages. Stored XSS is particularly dangerous because it can affect multiple users without requiring repeated exploitation. The vulnerability does not require authentication, meaning any unauthenticated attacker can exploit it by submitting crafted input that gets stored and later rendered unsafely. The lack of proper input sanitization and output encoding in the plugin's code is the root cause. Although no public exploits are currently known, the vulnerability's presence in a popular WordPress plugin component used for SEO and FAQ presentation increases its attractiveness to attackers. The plugin's integration with Yoast SEO, a widely used SEO tool, means many websites could be impacted, especially those that use the FAQ block feature. The vulnerability could be leveraged to steal cookies, perform session hijacking, deface websites, or deliver malware. The absence of a CVSS score indicates that the vulnerability is newly disclosed and not yet fully assessed, but the characteristics suggest a high-risk profile. The vulnerability was published on January 23, 2026, and no patches or fixes have been linked yet, emphasizing the need for vigilance and proactive mitigation by site administrators.

For European organizations, this vulnerability poses significant risks including unauthorized access to user sessions, theft of sensitive data such as authentication tokens or personal information, and potential website defacement or malware distribution. Given the GDPR and other stringent data protection regulations in Europe, exploitation could lead to regulatory penalties and loss of customer trust. Organizations relying on WordPress for their public-facing websites, especially those using the Yoast SEO FAQ block feature, may experience service disruption or reputational damage if attackers exploit this vulnerability. The stored nature of the XSS means that once injected, the malicious payload can affect all visitors to the compromised page, increasing the scope of impact. Attackers could also use the vulnerability as a foothold for further attacks within the network or to spread phishing campaigns. The impact on confidentiality and integrity is high, while availability impact is moderate but possible if attackers deface or disrupt the site. The lack of known exploits currently provides a window for mitigation, but the ease of exploitation and widespread use of the plugin elevate the threat level.

1. Monitor for updates from the plugin developer and apply patches immediately once available to remediate the vulnerability. 2. Until a patch is released, disable or remove the 'Turn Yoast SEO FAQ Block to Accordion' plugin to eliminate the attack surface. 3. Implement strict input validation and sanitization on all user inputs related to FAQ content to prevent malicious script injection. 4. Apply output encoding techniques when rendering user-generated content to ensure scripts are not executed. 5. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 6. Conduct regular security audits and vulnerability scans on WordPress installations to detect potential exploitation attempts. 7. Educate site administrators and content creators about the risks of injecting untrusted content and safe content management practices. 8. Use Web Application Firewalls (WAF) with rules tailored to detect and block XSS attack patterns targeting WordPress plugins. 9. Review and harden user permissions to limit who can add or edit FAQ content, reducing the risk of malicious input insertion. 10. Maintain regular backups of website content to enable quick recovery in case of compromise.