{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11734", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T10:08:30.799Z", "datePublished": "2025-11-18T09:27:35.134Z", "dateUpdated": "2026-04-08T16:32:41.233Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:41.233Z"}, "affected": [{"vendor": "aioseo", "product": "Broken Link Checker by AIOSEO \u2013 Easily Fix/Monitor Internal and External links", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Broken Link Checker by AIOSEO \u2013 Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint."}], "title": "Broken Link Checker by AIOSEO \u2013 Easily Fix/Monitor Internal and External links <= 1.2.5 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Trashing", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0254cd1b-f8f6-400e-a48e-81bd553fe8d1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3390304/broken-link-checker-seo"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "timeline": [{"time": "2025-10-06T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-17T18:42:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-17T20:46:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-18T21:39:40.490112Z", "id": "CVE-2025-11734", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:39:53.173Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11734", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-18T21:39:40.490112Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:39:49.139Z"}}], "cna": {"title": "Broken Link Checker by AIOSEO \u2013 Easily Fix/Monitor Internal and External links <= 1.2.5 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Trashing", "credits": [{"lang": "en", "type": "finder", "value": "Lucas Montes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "aioseo", "product": "Broken Link Checker by AIOSEO \u2013 Easily Fix/Monitor Internal and External links", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-06T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-17T18:42:18.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-17T20:46:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0254cd1b-f8f6-400e-a48e-81bd553fe8d1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3390304/broken-link-checker-seo"}], "descriptions": [{"lang": "en", "value": "The Broken Link Checker by AIOSEO \u2013 Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:41.233Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11734", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:41.233Z", "dateReserved": "2025-10-14T10:08:30.799Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-18T09:27:35.134Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Broken Link Checker by AIOSEO \u2013 Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint."}], "id": "CVE-2025-11734", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-18T10:15:44.910", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3390304/broken-link-checker-seo"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0254cd1b-f8f6-400e-a48e-81bd553fe8d1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:10:24.224335+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to a version newer than 1.2.5, which removes the vulnerable REST endpoint", "Revoke or remove the Contributor capability aioseo_blc_broken_links_page from users who do not need it, limiting the scope of the flaw", "If an upgrade is not immediately possible, add a custom function to block or delete requests to /wp-json/aioseoBrokenLinkChecker/v1/post by non\u2011administrator users", "Audit all posts for unexpected deletion activity and restore from backups if necessary"], "summary": {"action": "Apply Patch", "impact": "Arbitrary post deletion via REST API"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Broken Link Checker by AIOSEO \u2013 Easily Fix/Monitor Internal and External links in all releases up to and including version 1.2.5. No additional product or version details were provided.,", "description_and_impact": "The Broken Link Checker by AIOSEO \u2013 Easily Fix/Monitor Internal and External links plugin includes a REST API endpoint that permits deletion of any post. The endpoint checks only for the capability aioseo_blc_broken_links_page, which is granted to Contributor users and higher, but does not verify ownership or specific permissions for the target post. An attacker who is authenticated as a Contributor or above can therefore send a DELETE request to /wp-json/aioseoBrokenLinkChecker/v1/post and move any post to the trash. This results in loss of content and can function as a denial\u2011of\u2011service attack against the site\u2019s editorial workflow. The weakness is a missing authorization check, identified as CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The attack requires authentication as a user with at least Contributor level, but once authenticated the attacker can delete any post without further authorization checks. The exploit path is straightforward: authenticate, send a DELETE request to the REST endpoint, and target any post ID. Monitoring logs or disabling the endpoint are mitigations, but the preferred action is to apply a patch that removes the authorization flaw."}}}}, "created": "2025-11-19T10:48:02.693523+00:00", "updated": "2026-04-22T21:15:27.682119+00:00", "vendors": ["aioseo", "aioseo$PRODUCT$broken_link_checker", "wordpress", "wordpress$PRODUCT$wordpress"]}