Description
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.3.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Author-level access and above, to enable or disable arbitrary SiteSEO features that they should not have access to.
Published: 2025-11-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of SiteSEO plugin settings
Action: Update Plugin
AI Analysis

Impact

The SiteSEO – SEO Simplified plugin for WordPress has a missing authorization flaw in versions up to 1.3.1. The flaw allows authenticated users with Author-level access or higher to enable or disable arbitrary SiteSEO features without proper permission checks. This results in unexpected changes to SEO configuration, which can affect site visibility, search rankings, and potentially expose sensitive content. The weakness corresponds to CWE-285, Unauthorized Access.

Affected Systems

Softaculous’ SiteSEO – SEO Simplified plugin is affected, specifically all installed copies running version 1.3.1 or older. The vulnerability exists within the plugin’s AJAX handling code on WordPress sites that have the plugin active. Users should verify the installed plugin version and plan an upgrade if the current version is 1.3.1 or earlier.

Risk and Exploitability

The vulnerability has a CVSS base score of 4.3, indicating moderate severity. Its EPSS score is below 1 %, suggesting a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Because the flaw requires authentication and an Author or higher role, an attacker must be already able to log into the WordPress installation. Once authenticated, the attacker can toggle any feature controlled by the plugin, but there is no path to arbitrary code execution or full system compromise. The risk is therefore localized to the SEO configuration of the affected site.

Generated by OpenCVE AI on April 22, 2026 at 11:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SiteSEO plugin to a version newer than 1.3.1, which contains the authorization fix.
  • Review user accounts and ensure only trusted users have Author or higher roles; consider reducing the number of Author accounts.
  • Confirm that the plugin’s settings pages are protected by the appropriate capability checks and that no residual code allows editing without permission.

Generated by OpenCVE AI on April 22, 2026 at 11:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 03 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Softaculous
Softaculous siteseo
Wordpress
Wordpress wordpress
Vendors & Products Softaculous
Softaculous siteseo
Wordpress
Wordpress wordpress

Sat, 01 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.3.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Author-level access and above, to enable or disable arbitrary SiteSEO features that they should not have access to.
Title SiteSEO – SEO Simplified <= 1.3.1 - Missing Authorization to Authenticated (Author+) Plugin Settings Update
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Softaculous Siteseo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:19.148Z

Reserved: 2025-10-27T19:24:21.361Z

Link: CVE-2025-12367

cve-icon Vulnrichment

Updated: 2025-11-03T15:45:00.465Z

cve-icon NVD

Status : Deferred

Published: 2025-11-01T04:16:04.093

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses