CVE-2025-14481
Insecure Direct Object Reference in Yoast SEO WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yoast | seo | to 26.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Yoast SEO plugin for WordPress has a vulnerability known as Insecure Direct Object References (IDOR) in all versions up to and including 26.5. This vulnerability arises because the Meta Search REST API endpoint does not properly verify whether a user owns a post before allowing access to its SEO metadata.
As a result, authenticated users with Contributor-level access or higher can exploit this flaw to read sensitive SEO metadata from any post on the site by manipulating the 'post_id' parameter. This includes posts owned by other users, private posts, and draft posts.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users with Contributor-level access or above to view sensitive SEO metadata from posts they should not have access to. This could lead to exposure of private or draft content, potentially revealing confidential information or internal strategies.
While the vulnerability does not allow modification or deletion of content, the unauthorized disclosure of metadata could be leveraged for further attacks or information gathering.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to SEO metadata via the Meta Search REST API endpoint using the 'post_id' parameter by authenticated users with Contributor-level access or higher.
To detect exploitation attempts on your system or network, you can monitor HTTP requests to the Yoast SEO Meta Search REST API endpoint, looking for unusual or unauthorized access patterns, especially requests containing the 'post_id' parameter made by users with Contributor or higher roles.
Suggested commands include using web server logs or network monitoring tools to filter for such requests. For example, using grep on Apache or Nginx logs:
- grep 'wp-json/yoast/v1/meta/search' /var/log/apache2/access.log | grep 'post_id='
- grep 'wp-json/yoast/v1/meta/search' /var/log/nginx/access.log | grep 'post_id='
Additionally, monitoring WordPress user activity logs for Contributor-level users making REST API calls to Yoast SEO endpoints can help identify suspicious behavior.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Yoast SEO plugin to version 26.6 or later, where the vulnerability has been fixed by improving capability checks to prevent unauthorized access to sensitive metadata.
If immediate updating is not possible, consider restricting Contributor-level and higher users' access to the Meta Search REST API endpoint or disabling the Yoast SEO plugin temporarily.
Additionally, review user roles and permissions to ensure that only trusted users have Contributor-level or higher access.