CVE-2025-14481
Description
The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Yoast SEO plugin for WordPress up to 26.5 has an IDOR vulnerability in the Meta Search REST API, letting contributors enumerate SEO metadata from any post.
Vulnerability
The Yoast SEO plugin for WordPress versions up to and including 26.5 contains an Insecure Direct Object Reference (IDOR) vulnerability in the Meta Search REST API endpoint. The endpoint, registered under Main::API_V1_NAMESPACE with route self::META_SEARCH_ROUTE, uses a permission_callback function that fails to verify whether the authenticated user owns the post specified by the post_id parameter [1][2]. In patched version 26.6, the callback checks current_user_can( $post_type_object->cap->edit_post, $request['post_id'] ) to enforce post ownership [1][2]. The vulnerable code in versions up to 26.5 only checks for the generic edit_posts capability, which allows any user with Contributor-level access or higher to query metadata from any post [3].
Exploitation
An authenticated attacker with at least Contributor-level access can send a GET request to the Yoast SEO Meta Search REST API endpoint, providing a post_id parameter referencing any post on the site. The attacker does not need to be the author of the target post or have any specific role beyond Contributor. The search_meta callback then calls get_post_custom( $post_id ) and returns up to 25 matching meta keys and their values, filtered by an optional query parameter [2][3].
Impact
A successful exploit allows the attacker to read sensitive SEO metadata from any post, including private posts, draft posts, and posts owned by other users. The exposed data includes custom field values (except serialized ones) that could contain confidential information, potentially leading to information disclosure. The attacker gains read access to metadata they are not authorized to view, violating confidentiality of post-level data.
Mitigation
The vulnerability is fixed in Yoast SEO plugin version 26.6, released on or shortly after the pull request merge date [1]. Users should update to version 26.6 or later immediately. There is no known workaround for earlier versions; the fix enforces proper post ownership checks via edit_post capability [1][2]. The CVE is not listed on the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2r341228660ec0a176918Merge pull request #22797 from Yoast/enrico/update-cap-check
1 file changed · +1 −1
src/routes/meta-search-route.php+1 −1 modified@@ -53,7 +53,7 @@ public function permission_check( $request ) { $post_type = \get_post_type( $request['post_id'] ); $post_type_object = \get_post_type_object( $post_type ); - return \current_user_can( $post_type_object->cap->edit_posts ); + return \current_user_can( $post_type_object->cap->edit_post, $request['post_id'] ); } /**
Vulnerability mechanics
Root cause
"Insufficient authorization check — the permission handler uses a generic post-type capability (`edit_posts`) instead of a per-object capability (`edit_post`), failing to verify the user owns or is authorized for the specific post."
Attack vector
An authenticated attacker with Contributor-level access or higher sends a crafted REST API request to the Meta Search endpoint, supplying an arbitrary `post_id` parameter. The original permission check only verifies the user has the `edit_posts` capability for the post type, which does not enforce ownership or post status. This allows the attacker to read sensitive SEO metadata from any post on the site, including private, draft, or posts owned by other users [patch_id=2623900][patch_id=2623899].
Affected code
The vulnerability resides in `src/routes/meta-search-route.php` within the `permission_check()` method. The function retrieves the post type from the `post_id` parameter and checks the generic `edit_posts` capability, which only verifies the user can edit posts of that type — not that they own the specific post.
What the fix does
The patch changes the capability check from `edit_posts` (a generic post-type-level capability) to `edit_post` (a per-object capability that accepts the specific post ID). By passing `$request['post_id']` to `current_user_can()` with the `edit_post` capability, WordPress's built-in object-level authorization verifies the user owns or has explicit permission to edit that particular post, closing the Insecure Direct Object Reference [patch_id=2623900][patch_id=2623899].
Preconditions
- authAttacker must be authenticated with at least Contributor-level access
- configThe site must have the Yoast SEO plugin installed and the Meta Search REST API endpoint enabled
- inputAttacker must know or enumerate the target post_id
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Yoast/wordpress-seo/pull/22797nvd
- plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.4/src/routes/meta-search-route.phpnvd
- plugins.trac.wordpress.org/browser/wordpress-seo/trunk/src/routes/meta-search-route.phpnvd
- plugins.trac.wordpress.org/changeset/3412286/wordpress-seonvd
- www.wordfence.com/threat-intel/vulnerabilities/id/04b2123d-ae0c-4984-95f5-7040f8604c92nvd
News mentions
0No linked articles in our index yet.