CVE-2026-4142: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in eazyserver Sentence To SEO (keywords, description and tags)
The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (<?= ?>). An attacker can break out of the textarea element using a closing </textarea> tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page.
AI Analysis
Technical Summary
CVE-2026-4142 is a stored cross-site scripting vulnerability in the eazyserver Sentence To SEO WordPress plugin. The issue arises because user input from the 'Permanent keywords' field is read without HTML sanitization (using filter_input_array with FILTER_DEFAULT), stored unsanitized in the WordPress options table, and then output directly into a textarea element without escaping. This allows an authenticated administrator to inject malicious scripts by breaking out of the textarea with a closing tag, leading to script execution when the plugin settings page is viewed.
Potential Impact
An attacker with administrator-level access can inject arbitrary scripts into the plugin's settings page, potentially leading to session hijacking, defacement, or other attacks against users who access that page. The CVSS score of 4.4 (medium severity) reflects limited impact due to the requirement for high privileges and no user interaction beyond visiting the settings page.
Mitigation Recommendations
No official patch or remediation is currently confirmed. Since the vulnerability requires administrator-level access, restricting administrative privileges and limiting access to trusted users can reduce risk. Monitor the vendor's advisory for updates and apply any future patches promptly. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-4142: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in eazyserver Sentence To SEO (keywords, description and tags)
Description
The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (<?= ?>). An attacker can break out of the textarea element using a closing </textarea> tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4142 is a stored cross-site scripting vulnerability in the eazyserver Sentence To SEO WordPress plugin. The issue arises because user input from the 'Permanent keywords' field is read without HTML sanitization (using filter_input_array with FILTER_DEFAULT), stored unsanitized in the WordPress options table, and then output directly into a textarea element without escaping. This allows an authenticated administrator to inject malicious scripts by breaking out of the textarea with a closing tag, leading to script execution when the plugin settings page is viewed.
Potential Impact
An attacker with administrator-level access can inject arbitrary scripts into the plugin's settings page, potentially leading to session hijacking, defacement, or other attacks against users who access that page. The CVSS score of 4.4 (medium severity) reflects limited impact due to the requirement for high privileges and no user interaction beyond visiting the settings page.
Mitigation Recommendations
No official patch or remediation is currently confirmed. Since the vulnerability requires administrator-level access, restricting administrative privileges and limiting access to trusted users can reduce risk. Monitor the vendor's advisory for updates and apply any future patches promptly. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-13T15:37:12.112Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8877019fe3cd2cd809002
Added to database: 4/22/2026, 8:31:44 AM
Last enriched: 4/22/2026, 8:47:43 AM
Last updated: 4/23/2026, 1:06:58 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.