Skip to main content

Slim Seo A Fast Automated Seo Plugin For Wordpress

1 CVEs product

Monthly

CVE-2026-12408 MEDIUM This Month

Unauthorized private content disclosure in the Slim SEO WordPress plugin (all versions through 4.9.8) allows authenticated Contributors to read protected content they do not own via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. The endpoint's broken object-level authorization - checking only the generic `edit_posts` capability rather than per-post read access - lets any Contributor supply an arbitrary post ID and receive an AI-generated summary of that post's raw content, including private, draft, pending, future, and password-protected posts authored by other users. No public exploit or CISA KEV listing is identified at time of analysis; real-world risk is constrained by the requirement for a pre-existing Contributor-level account.

WordPress Information Disclosure Slim Seo A Fast Automated Seo Plugin For Wordpress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized private content disclosure in the Slim SEO WordPress plugin (all versions through 4.9.8) allows authenticated Contributors to read protected content they do not own via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. The endpoint's broken object-level authorization - checking only the generic `edit_posts` capability rather than per-post read access - lets any Contributor supply an arbitrary post ID and receive an AI-generated summary of that post's raw content, including private, draft, pending, future, and password-protected posts authored by other users. No public exploit or CISA KEV listing is identified at time of analysis; real-world risk is constrained by the requirement for a pre-existing Contributor-level account.

WordPress Information Disclosure Slim Seo A Fast Automated Seo Plugin For Wordpress
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy