CVE-2025-11734

Name of the Vulnerable Software and Affected Versions Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress versions through 1.2.5

Description The plugin is susceptible to unauthorized post modification because of insufficient authorization checks. The plugin registers a REST API endpoint that verifies a broad capability (aioseo blc broken links page) granted to contributor-level users, without validating the user’s permission to act on the specific post. This allows authenticated attackers with contributor access or higher to delete arbitrary posts using the API endpoint /wp-json/aioseoBrokenLinkChecker/v1/post. The vulnerable parameter is the post identifier used in the DELETE request.

Recommendations Update the Broken Link Checker by AIOSEO plugin to a version beyond 1.2.5.