EUVD-2025-209950
GHSA-5h48-r6mr-r747
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts.
AnalysisAI
Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.
Technical ContextAI
The vulnerability exists in src/routes/meta-search-route.php at line 56 of the Yoast SEO plugin, within its Meta Search REST API route. WordPress's current_user_can() function supports two modes: a role-level gate when called with only a capability string (e.g., edit_posts), and an object-level gate when also passed a post ID (e.g., edit_post + post_id). The pre-fix code called current_user_can( $post_type_object->cap->edit_posts ) - verifying only that the requesting user holds the generic edit_posts capability, which Contributors possess by default - without passing the requested $request['post_id'] to enforce ownership. CWE-862 (Missing Authorization) precisely describes this class of flaw: a permission check exists but fails to scope it to the specific object being accessed, producing a classic IDOR pattern where the parameter controlling resource access (post_id) is not validated against the caller's ownership.
RemediationAI
The upstream fix is confirmed in GitHub PR #22797 (https://github.com/Yoast/wordpress-seo/pull/22797) and WordPress Plugin SVN changeset 3412286 (https://plugins.trac.wordpress.org/changeset/3412286/wordpress-seo#file163); however, a specific released patch version number is not independently confirmed from the available data - the fix is in an upstream PR and changeset but a tagged release should be verified in the WordPress Plugin Directory. Update Yoast SEO to any version beyond 26.5 once confirmed available. As a compensating control pending update, administrators can revoke REST API access for Contributor-level roles via a firewall rule or security plugin (e.g., blocking /wp-json/yoast/ routes for unauthenticated and low-privilege users), though this may break SEO-dependent integrations. Alternatively, auditing and reducing the number of active Contributor accounts lowers exposure without service disruption.
More from same product – last 7 days
Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and
Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run
Share
External POC / Exploit Code
Leaving vuln.today