CVE-2025-11734
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aioseo | broken_link_checker | 1.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Broken Link Checker plugin by AIOSEO for WordPress, where a REST API endpoint lacks proper authorization checks. Although it requires a broad capability granted to contributor-level users, it does not verify if the user has permission to modify the specific post targeted. As a result, authenticated users with contributor-level access or higher can delete arbitrary posts via the plugin's REST API.
How can this vulnerability impact me? :
An attacker with contributor-level access or higher can exploit this vulnerability to trash arbitrary posts on the WordPress site. This could lead to loss of content, disruption of site functionality, and potential damage to the site's integrity and user trust.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Broken Link Checker by AIOSEO plugin to a version later than 1.2.5 where the authorization issue is fixed. If an update is not yet available, restrict contributor level user permissions or disable the plugin until a patch is released to prevent unauthorized post modifications via the REST API endpoint.