Skip to main content

Yoast SEO CVE-2025-14481

| EUVDEUVD-2025-209950 MEDIUM
Missing Authorization (CWE-862)
2026-05-27 security@wordfence.com GHSA-5h48-r6mr-r747
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 27, 2026 - 21:41 vuln.today
Analysis Generated
May 27, 2026 - 21:41 vuln.today
CVE Published
May 27, 2026 - 05:16 nvd
MEDIUM 4.3

DescriptionCVE.org

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts.

AnalysisAI

Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.

Technical ContextAI

The vulnerability exists in src/routes/meta-search-route.php at line 56 of the Yoast SEO plugin, within its Meta Search REST API route. WordPress's current_user_can() function supports two modes: a role-level gate when called with only a capability string (e.g., edit_posts), and an object-level gate when also passed a post ID (e.g., edit_post + post_id). The pre-fix code called current_user_can( $post_type_object->cap->edit_posts ) - verifying only that the requesting user holds the generic edit_posts capability, which Contributors possess by default - without passing the requested $request['post_id'] to enforce ownership. CWE-862 (Missing Authorization) precisely describes this class of flaw: a permission check exists but fails to scope it to the specific object being accessed, producing a classic IDOR pattern where the parameter controlling resource access (post_id) is not validated against the caller's ownership.

RemediationAI

The upstream fix is confirmed in GitHub PR #22797 (https://github.com/Yoast/wordpress-seo/pull/22797) and WordPress Plugin SVN changeset 3412286 (https://plugins.trac.wordpress.org/changeset/3412286/wordpress-seo#file163); however, a specific released patch version number is not independently confirmed from the available data - the fix is in an upstream PR and changeset but a tagged release should be verified in the WordPress Plugin Directory. Update Yoast SEO to any version beyond 26.5 once confirmed available. As a compensating control pending update, administrators can revoke REST API access for Contributor-level roles via a firewall rule or security plugin (e.g., blocking /wp-json/yoast/ routes for unauthenticated and low-privilege users), though this may break SEO-dependent integrations. Alternatively, auditing and reducing the number of active Contributor accounts lowers exposure without service disruption.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-14481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy