Medium severity4.3NVD Advisory· Published May 27, 2026· Updated May 27, 2026
CVE-2025-14481
CVE-2025-14481
Description
The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/Yoast/wordpress-seo/pull/22797nvd
- plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.4/src/routes/meta-search-route.phpnvd
- plugins.trac.wordpress.org/browser/wordpress-seo/trunk/src/routes/meta-search-route.phpnvd
- plugins.trac.wordpress.org/changeset/3412286/wordpress-seonvd
- www.wordfence.com/threat-intel/vulnerabilities/id/04b2123d-ae0c-4984-95f5-7040f8604c92nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026