Skip to main content

Slim SEO CVE-2026-57429

| EUVDEUVD-2026-39385 MEDIUM
Missing Authorization (CWE-862)
2026-06-25 Patchstack GHSA-653g-xfpx-c824
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Contributor credentials required (PR:L); network-accessible plugin endpoint (AV:N); read-only data disclosure with no write or denial-of-service capability confirmed (I:N/A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:37 vuln.today

DescriptionCVE.org

Contributor Broken Access Control in Slim SEO <= 4.6.2 versions.

AnalysisAI

Broken access control in the Slim SEO WordPress plugin through version 4.6.2 allows authenticated users holding the Contributor role to bypass authorization checks and access restricted data, yielding a high confidentiality impact per CVSS C:H. The flaw is rooted in CWE-862 (Missing Authorization), meaning the plugin fails to verify whether the requesting user holds sufficient privileges before executing certain privileged actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register WordPress Contributor credentials
Delivery
Authenticate to target WordPress site
Exploit
Send crafted HTTP request to unprotected Slim SEO plugin endpoint
Execution
Bypass missing authorization check (CWE-862)
Impact
Retrieve restricted SEO or site configuration data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account at the Contributor role level or higher on a site running Slim SEO version 4.6.2 or earlier - the CVSS PR:L metric confirms that unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N accurately reflects the risk profile: the flaw is network-reachable with low complexity and no user interaction, but requires contributor-level authentication (PR:L), limiting the exposed attack surface to sites with multiple users or open registration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a Contributor-level account on a target WordPress site running Slim SEO 4.6.2 or earlier. They send a crafted authenticated HTTP request directly to the vulnerable plugin endpoint, bypassing the missing capability check. …
Remediation Update the Slim SEO plugin to a version released after 4.6.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy