Description
The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Yoast SEO plugin allows authenticated users with Contributor-level or higher access to retrieve SEO metadata from any post via the Meta Search REST API. The lack of ownership validation means a contributor can read sensitive information from posts owned by other users, including private and draft posts. This results in confidentiality loss rather than denial of service or code execution.

Affected Systems

The issue affects the Yoast SEO plugin for WordPress on all versions up to and including 26.5. Users of Yoast SEO 26.5 or earlier are at risk. The plugin’s Meta Search endpoint does not enforce proper authorization for the 'post_id' parameter.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate impact, but the vulnerability is exploitable only by authenticated accounts, limiting the threat surface. EPSS data is not available and the flaw is not listed in the CISA KEV catalog, suggesting that widespread exploitation is currently low. However, any site with contributors who need to view post content could be exposed to sensitive metadata leakage if they misuse the 'post_id' parameter.

Generated by OpenCVE AI on May 27, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Yoast SEO to a version newer than 26.5 to receive the authorization fix.
  • If an immediate upgrade is not possible, restrict or remove the Meta Search route from the REST API, or configure the site to prevent contributors from accessing the 'post_id' parameter via conditional code hooks.
  • Ensure that Contributor roles are granted only the permissions required for their tasks, and consider reducing their ability to read post metadata by adjusting role capabilities or using additional access‑control plugins.

Generated by OpenCVE AI on May 27, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yoast
Yoast yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai
Vendors & Products Wordpress
Wordpress wordpress
Yoast
Yoast yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai

Wed, 27 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts.
Title Yoast SEO <= 26.5 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via 'post_id' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Yoast Yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:41:24.847Z

Reserved: 2025-12-10T19:03:32.498Z

Link: CVE-2025-14481

cve-icon Vulnrichment

Updated: 2026-05-27T10:41:20.286Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T05:16:19.950

Modified: 2026-05-27T14:50:47.627

Link: CVE-2025-14481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:00:14Z

Weaknesses