CVE-2025-13085

Name of the Vulnerable Software and Affected Versions SiteSEO – SEO Simplified plugin for WordPress versions up to and including 1.3.2

Description The SiteSEO – SEO Simplified plugin for WordPress has an authorization issue that can lead to the disclosure of sensitive post metadata. The issue is caused by a lack of proper object-level authorization checks within the resolve variables() AJAX handler. Authenticated attackers with the siteseo manage capability, such as Author-level users granted SiteSEO access by an administrator, can read arbitrary post metadata from posts, pages, attachments, or WooCommerce orders they are not authorized to edit. This is possible through the custom field variable resolution feature when legacy storage is enabled. In WooCommerce installations, sensitive customer billing information, including names, email addresses, phone numbers, physical addresses, and payment methods, may be exposed.

Recommendations Update SiteSEO – SEO Simplified plugin for WordPress to a version later than 1.3.2.