CVE-2025-14481

EPSS 0.29%
Veröffentlicht 27.05.2026 04:28:59
Zuletzt bearbeitet 27.05.2026 14:50:47
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Yoast SEO <= 26.5 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via 'post_id' Parameter

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts.

Mögliche Gegenmaßnahme

Yoast SEO – Advanced SEO with real-time guidance and built-in AI: Update to version 26.6, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstelleryoast

≫

Produkt Yoast SEO – Advanced SEO with real-time guidance and built-in AI

Default Statusunaffected

Version <= 26.5

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Yoast SEO – Advanced SEO with real-time guidance and built-in AI

Version *-26.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.203

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/04b2123d-ae0c-4984-95f5-7040f8604c92?source=cve

https://plugins.trac.wordpress.org/browser/wordpress-seo/trunk/src/routes/meta-search-route.php#L56

https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.4/src/routes/meta-search-route.php#L56

https://github.com/Yoast/wordpress-seo/pull/22797

https://plugins.trac.wordpress.org/changeset/3412286/wordpress-seo#file163

https://www.wordfence.com/threat-intel/vulnerabilities/id/04b2123d-ae0c-4984-95f5-7040f8604c92

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-14481

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-14481

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-14481

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-14481