WP-Safety

Yext Plugin Security & Risk Analysis

wordpress.org/plugins/yext

The Yext plugin lets you sync your menus, product lists, social network posts, and other business content from Yext to your WordPress site.

800 active installs v1.1.3 PHP + WP 2.8+ Updated Mar 6, 2023
contentlistmenuproductyext
63
C · Use Caution
CVEs total1
Unpatched1
Last CVESep 26, 2025
Plugin page Download
Safety Verdict

Is Yext Plugin Safe to Use in 2026?

Use With Caution

Score 63/100

Yext Plugin has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 26, 2025Updated 3yr ago
Risk Assessment

The Yext plugin v1.1.3 exhibits a mixed security posture. On the positive side, it demonstrates good practices by not utilizing dangerous functions, performing all SQL queries with prepared statements, and having no external HTTP requests. The static analysis also found no critical or high severity taint flows, which is reassuring.

However, significant concerns arise from the lack of output escaping for all observed outputs. This means that user-supplied data displayed on the frontend could be vulnerable to cross-site scripting (XSS) attacks. Additionally, the complete absence of nonce checks and capability checks, even though there are no direct unprotected AJAX handlers or REST API routes listed, is a notable weakness. This makes it harder to prevent unauthorized actions if other entry points were discovered or introduced.

The plugin's vulnerability history, which includes one medium severity CVE with missing authorization and is currently unpatched, further amplifies these concerns. This specific vulnerability type aligns with the observed lack of capability checks in the code. While the number of CVEs is low, the presence of an unpatched vulnerability, especially one related to authorization, warrants immediate attention. The overall conclusion is that while the plugin avoids some common pitfalls, the lack of output escaping and the unpatched authorization vulnerability represent significant security risks.

Key Concerns

  • Unescaped output detected
  • Missing nonce checks
  • Missing capability checks
  • Unpatched CVE (Medium Severity)
Vulnerabilities
1

Yext Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-60129medium · 5.3Missing Authorization

Yext <= 1.1.3 - Missing Authorization

Sep 26, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Yext Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
2
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped5 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
yext_savetoken (yext.php:162)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Yext Plugin Attack Surface

Entry Points6
Unprotected0

Shortcodes 6

[yext-posts] yext.php:34
[yext-productlist] yext.php:35
[yext-calendar] yext.php:36
[yext-bios] yext.php:37
[yext-menu] yext.php:38
[yext-reviews] yext.php:39
WordPress Hooks 5
actioninityext.php:139
actionadmin_menuyext.php:147
actionadmin_enqueue_scriptsyext.php:155
actionadmin_action_yext_savetokenyext.php:161
actionadmin_action_yext_removetokenyext.php:167
Maintenance & Trust

Yext Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11
Last updatedMar 6, 2023
PHP min version
Downloads42K

Community Trust

Rating66/100
Number of ratings4
Active installs800
Alternatives

Yext Plugin Alternatives

Express Shop for WooCommerce Product Table

Express Shop for WooCommerce Product Table

express-shop

A
99

This one page shop for WooCommerce will display woocommerce product table for easy bulk order. Suitable for restaurant online ordering, food menu, wh &hellip;

20 1 CVE
Google for WooCommerce

Google for WooCommerce

google-listings-and-ads

A
99

Native integration with Google that allows merchants to easily display their products across Google’s network.

900K 1 CVE
Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels

Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels

webappick-product-feed-for-woocommerce

A
92

Create WooCommerce product feeds for Google Shopping, Facebook, TikTok & 220+ channels. 2026 compliant. 6 formats. Trusted by 70,000+ stores.

70K 4 CVEs
WCBoost – Wishlist

WCBoost – Wishlist

wcboost-wishlist

A
100

WCBoost - Wishlist lets shoppers create wishlists for later purchases, reminding them of desired items, driving repeat visits and boost sales.

30K No CVEs
Iks Menu – WordPress Category Accordion Menu & FAQs

Iks Menu – WordPress Category Accordion Menu & FAQs

iks-menu

A
100

Super customizable WordPress plugin for displaying custom menus, taxonomy/category terms and FAQs as accordion menu (with images support).

10K No CVEs
Developer Profile

Yext Plugin Developer Profile

Yext

4 plugins · 880 total installs

82
trust score
Avg Security Score
83/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Yext Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/yext/public/css/yext.css
Script Paths
//ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js

HTML / DOM Fingerprints

HTML Comments
<!--There was an error connecting to Yext's services.--><!--The widget you are trying to use is not valid. Please update your widget so that it is linked to a specific location.--><!--The widget you are trying to use is not valid. Please make sure you have the correct id and type in your shortcode.--><!--The widget you are trying to use cannot be found.-->+1 more
Data Attributes
id="yext-widget-iframe"id="persist-token-form"id="yext-login-token"id="remove-token-form"
JS Globals
window.invokeFormActionwindow.establishConnectionwindow.sendConnectionRequestwindow.requestConnectionIntervalwindow.receiveMessage
REST Endpoints
/Serving/ShouldLog/Serving/ReceiveLogMessage/Serving/WordpressHtml
Shortcode Output
[yext-posts[yext-productlist[yext-calendar[yext-bios
FAQ

Frequently Asked Questions about Yext Plugin