Description
The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint.
Published: 2025-11-18
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary post deletion via REST API
Action: Apply Patch
AI Analysis

Impact

The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin includes a REST API endpoint that permits deletion of any post. The endpoint checks only for the capability aioseo_blc_broken_links_page, which is granted to Contributor users and higher, but does not verify ownership or specific permissions for the target post. An attacker who is authenticated as a Contributor or above can therefore send a DELETE request to /wp-json/aioseoBrokenLinkChecker/v1/post and move any post to the trash. This results in loss of content and can function as a denial‑of‑service attack against the site’s editorial workflow. The weakness is a missing authorization check, identified as CWE‑862.

Affected Systems

The vulnerability affects the WordPress plugin Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links in all releases up to and including version 1.2.5. No additional product or version details were provided.,

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The attack requires authentication as a user with at least Contributor level, but once authenticated the attacker can delete any post without further authorization checks. The exploit path is straightforward: authenticate, send a DELETE request to the REST endpoint, and target any post ID. Monitoring logs or disabling the endpoint are mitigations, but the preferred action is to apply a patch that removes the authorization flaw.

Generated by OpenCVE AI on April 22, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 1.2.5, which removes the vulnerable REST endpoint
  • Revoke or remove the Contributor capability aioseo_blc_broken_links_page from users who do not need it, limiting the scope of the flaw
  • If an upgrade is not immediately possible, add a custom function to block or delete requests to /wp-json/aioseoBrokenLinkChecker/v1/post by non‑administrator users
  • Audit all posts for unexpected deletion activity and restore from backups if necessary

Generated by OpenCVE AI on April 22, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 19 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Aioseo
Aioseo broken Link Checker
Wordpress
Wordpress wordpress
Vendors & Products Aioseo
Aioseo broken Link Checker
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint.
Title Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links <= 1.2.5 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Trashing
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Aioseo Broken Link Checker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:41.233Z

Reserved: 2025-10-14T10:08:30.799Z

Link: CVE-2025-11734

cve-icon Vulnrichment

Updated: 2025-11-18T21:39:49.139Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T10:15:44.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses