Description
Contributor Broken Access Control in Slim SEO <= 4.6.2 versions.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported defect is a Broken Access Control flaw in the WordPress Slim SEO plugin versions up to and including 4.6.2. This vulnerability allows an attacker who has no privileged permissions on the site to perform functions that should be restricted to privileged users. Based on the nature of the weakness, it is inferred that an attacker could potentially alter plugin configuration or access sensitive data linked to the plugin, thereby moving the threat from a purely functional issue to one that could affect site integrity.

Affected Systems

The problem exists in installations of the eLightUp Slim SEO WordPress plugin running version 4.6.2 or earlier. Sites that have upgraded to 4.7.0 or newer are not affected by this specific issue.

Risk and Exploitability

The CVSS base score of 6.5 signals a moderate severity level. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no current evidence of widespread exploitation. The likely attack vector is through the web interface of a WordPress site; any user can reach the plugin’s endpoints because the plugin fails to enforce proper access control. Consequently, the risk remains significant while exploitation evidence is limited, warranting remediation.

Generated by OpenCVE AI on June 25, 2026 at 16:17 UTC.

Remediation

Vendor Solution

Update the WordPress Slim SEO Plugin to the latest available version (at least 4.7.0).

OpenCVE Recommended Actions

  • Update the Slim SEO plugin to version 4.7.0 or newer to apply the vendor‑provided fix.
  • If an upgrade cannot be performed immediately, remove or disable the plugin from the WordPress installation to eliminate the vulnerable functionality until the update is applied.
  • Review WordPress role assignments and limit privileged access to trusted administrators to reduce the likelihood that an attacker can exploit the plugin’s access controls.

Generated by OpenCVE AI on June 25, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Contributor Broken Access Control in Slim SEO <= 4.6.2 versions.
Title WordPress Slim SEO plugin <= 4.6.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:15:39.604Z

Reserved: 2026-06-24T12:46:44.605Z

Link: CVE-2026-57429

cve-icon Vulnrichment

Updated: 2026-06-25T14:15:36.153Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:30:15Z

Weaknesses