PT-2026-54511 · Rilwis · Slim Seo – A Fast & Automated Seo Plugin For Wordpress
Abu Hurayra
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-12408
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the
/wp-json/slim-seo/meta-tags/ai REST API endpoint. This is due to the endpoint's permission callback performing only a top-level edit posts capability check without verifying that the requesting user has read access to the specific post supplied via the object.ID parameter, allowing the generate function to pass the attacker-controlled post ID to Data::get post content(), which calls get post() regardless of post status or ownership. This makes it possible for authenticated attackers with Contributor-level access and above to retrieve AI-generated summaries of the raw post content of arbitrary posts they are not authorized to view — including private posts, drafts, pending, future, and password-protected content authored by other users — with the substance of the protected content disclosed via the HTTP response.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Slim Seo – A Fast & Automated Seo Plugin For Wordpress