Description
The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolve_variables() AJAX handler. This makes it possible for authenticated attackers with the siteseo_manage capability (e.g., Author-level users who have been granted SiteSEO access by an administrator) to read arbitrary post metadata from any post, page, attachment, or WooCommerce order they cannot edit, via the custom field variable resolution feature granted they have been given access to SiteSEO by an administrator and legacy storage is enabled. In affected WooCommerce installations, this exposes sensitive customer billing information including names, email addresses, phone numbers, physical addresses, and payment methods.
Published: 2025-11-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive post metadata disclosure
Action: Patch
AI Analysis

Impact

The SiteSEO – SEO Simplified plugin in WordPress versions up to 1.3.2 contains an authorization flaw in the resolve_variables() AJAX handler, allowing authenticated users with the siteseo_manage capability to read any post metadata. This can expose private fields such as customer addresses, emails, phone numbers and payment details stored in WooCommerce orders. The vulnerability is a direct consequence of missing object‑level permission checks, making it a classic data disclosure issue.

Affected Systems

WordPress websites running the SiteSEO – SEO Simplified plugin version 1.3.2 or earlier are affected. The flaw is exploitable on any content type—posts, pages, attachments—and on sites that have WooCommerce installed, where customer billing information is stored in post meta. Users with Author‑level access who have been granted SiteSEO rights by an administrator can trigger the disclosure.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% shows a very low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated user with the siteseo_manage role; unauthenticated users cannot exploit it. Because the data exposed are sensitive, the confidentiality impact is significant if the attacker can access billing information.

Generated by OpenCVE AI on April 22, 2026 at 00:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SiteSEO – SEO Simplified 1.3.3 or later, which removes the vulnerable AJAX handler.
  • Restrict or remove the siteseo_manage capability from users who do not need it, especially Authors and Contributors.
  • Disable legacy storage or the custom field variable resolution feature in the plugin settings to prevent the meta resolution pathway from being used.

Generated by OpenCVE AI on April 22, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 20 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Softaculous
Softaculous siteseo
Wordpress
Wordpress wordpress
Vendors & Products Softaculous
Softaculous siteseo
Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 07:00:00 +0000

Type Values Removed Values Added
Description The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolve_variables() AJAX handler. This makes it possible for authenticated attackers with the siteseo_manage capability (e.g., Author-level users who have been granted SiteSEO access by an administrator) to read arbitrary post metadata from any post, page, attachment, or WooCommerce order they cannot edit, via the custom field variable resolution feature granted they have been given access to SiteSEO by an administrator and legacy storage is enabled. In affected WooCommerce installations, this exposes sensitive customer billing information including names, email addresses, phone numbers, physical addresses, and payment methods.
Title SiteSEO – SEO Simplified <= 1.3.2 - Insecure Direct Object Reference to Sensitive Post Meta Disclosure
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Softaculous Siteseo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:29.627Z

Reserved: 2025-11-12T19:32:01.839Z

Link: CVE-2025-13085

cve-icon Vulnrichment

Updated: 2025-11-19T18:58:50.844Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T07:15:50.057

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13085

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses