PT-2026-54511 · Rilwis · Slim Seo – A Fast & Automated Seo Plugin For Wordpress

Abu Hurayra

·

Publicado

2026-07-01

·

Atualizado

2026-07-01

·

CVE-2026-12408

CVSS v3.1

4.3

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the /wp-json/slim-seo/meta-tags/ai REST API endpoint. This is due to the endpoint's permission callback performing only a top-level edit posts capability check without verifying that the requesting user has read access to the specific post supplied via the object.ID parameter, allowing the generate function to pass the attacker-controlled post ID to Data::get post content(), which calls get post() regardless of post status or ownership. This makes it possible for authenticated attackers with Contributor-level access and above to retrieve AI-generated summaries of the raw post content of arbitrary posts they are not authorized to view — including private posts, drafts, pending, future, and password-protected content authored by other users — with the substance of the protected content disclosed via the HTTP response.

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-12408

Produtos afetados

Slim Seo – A Fast & Automated Seo Plugin For Wordpress