Description
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to unauthorized modification of data due to n incorrect capability check on the siteseo_reset_settings function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, who have been granted access to at least on SiteSEO setting capability, to reset the plugin's settings.
Published: 2025-11-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change
Action: Patch Plugin
AI Analysis

Impact

The SiteSEO – SEO Simplified WordPress plugin is vulnerable because the siteseo_reset_settings function performs an incorrect capability check, allowing an authenticated user with any SiteSEO setting capability to reset the plugin’s configuration. This flaw permits attackers to wipe custom SEO settings and disrupt site visibility, although it does not lead to remote code execution or data exfiltration.

Affected Systems

The flaw affects the SiteSEO – SEO Simplified plugin (Softaculous) on all installed versions up to and including 1.3.2. It applies to any WordPress site where the plugin is active and the user has SiteSEO setting permissions.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector requires an authenticated user with at least SiteSEO setting capability—a privilege escalation scenario. The vulnerability allows only configuration resets, not arbitrary code execution or data loss.

Generated by OpenCVE AI on April 21, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SiteSEO – SEO Simplified plugin to version 1.3.3 or later, where the capability check is corrected.
  • If an immediate plugin update is not feasible, revoke or restrict the SiteSEO settings capability from users who do not require it.
  • Audit WordPress user roles and capabilities to ensure only trusted administrators retain SiteSEO management rights.

Generated by OpenCVE AI on April 21, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 21 Nov 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Softaculous
Softaculous siteseo
Wordpress
Wordpress wordpress
Vendors & Products Softaculous
Softaculous siteseo
Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 06:00:00 +0000

Type Values Removed Values Added
Description The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to unauthorized modification of data due to n incorrect capability check on the siteseo_reset_settings function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, who have been granted access to at least on SiteSEO setting capability, to reset the plugin's settings.
Title SiteSEO – SEO Simplified <= 1.3.2 - Improper Authorization to Authenticated Settings Reset
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Softaculous Siteseo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:52.721Z

Reserved: 2025-11-06T16:54:37.938Z

Link: CVE-2025-12814

cve-icon Vulnrichment

Updated: 2025-11-19T18:40:23.883Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T06:15:46.617

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses