Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts.
AnalysisAI
Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.
Technical ContextAI
The vulnerability exists in src/routes/meta-search-route.php at line 56 of the Yoast SEO plugin, within its Meta Search REST API route. WordPress's current_user_can() function supports two modes: a role-level gate when called with only a capability string (e.g., edit_posts), and an object-level gate when also passed a post ID (e.g., edit_post + post_id). The pre-fix code called current_user_can( $post_type_object->cap->edit_posts ) - verifying only that the requesting user holds the generic edit_posts capability, which Contributors possess by default - without passing the requested $request['post_id'] to enforce ownership. CWE-862 (Missing Authorization) precisely describes this class of flaw: a permission check exists but fails to scope it to the specific object being accessed, producing a classic IDOR pattern where the parameter controlling resource access (post_id) is not validated against the caller's ownership.
RemediationAI
The upstream fix is confirmed in GitHub PR #22797 (https://github.com/Yoast/wordpress-seo/pull/22797) and WordPress Plugin SVN changeset 3412286 (https://plugins.trac.wordpress.org/changeset/3412286/wordpress-seo#file163); however, a specific released patch version number is not independently confirmed from the available data - the fix is in an upstream PR and changeset but a tagged release should be verified in the WordPress Plugin Directory. Update Yoast SEO to any version beyond 26.5 once confirmed available. As a compensating control pending update, administrators can revoke REST API access for Contributor-level roles via a firewall rule or security plugin (e.g., blocking /wp-json/yoast/ routes for unauthenticated and low-privilege users), though this may break SEO-dependent integrations. Alternatively, auditing and reducing the number of active Contributor accounts lowers exposure without service disruption.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209950
GHSA-5h48-r6mr-r747