PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-14481 yoast CVE debrief

CVE-2025-14481 is a medium-severity Insecure Direct Object Reference (IDOR) vulnerability in the Yoast SEO WordPress plugin affecting all versions up to and including 26.5. The vulnerability resides in the Meta Search REST API endpoint, which fails to properly validate post ownership before returning SEO metadata. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by manipulating the 'post_id' parameter to access sensitive SEO metadata from arbitrary posts—including those owned by other users, private posts, and draft posts—regardless of their access permissions. The CVSS 3.1 score of 4.3 reflects the network attack vector, low attack complexity, low privileges required, and low confidentiality impact. The vulnerability was reported to Wordfence and disclosed on May 27, 2026. A fix has been implemented in the plugin's development repository.

Vendor
yoast
Product
Yoast SEO – Advanced SEO with real-time guidance and built-in AI
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using Yoast SEO plugin versions 26.5 or earlier; security teams monitoring WordPress plugin vulnerabilities; organizations with multi-author WordPress environments where Contributor or Author roles are granted to untrusted users.

Technical summary

The Yoast SEO plugin's Meta Search REST API endpoint (meta-search-route.php) fails to verify that the requesting user has permission to access the requested post's SEO metadata. The endpoint accepts a post_id parameter without validating post ownership or visibility status against the requesting user's capabilities. This allows authenticated users with Contributor role or higher to enumerate and retrieve SEO metadata—including focus keywords, meta descriptions, and other optimization data—from any post on the site, including unpublished drafts and private posts they would not normally be able to view. The vulnerability is classified as CWE-862 (Missing Authorization).

Defensive priority

medium

Recommended defensive actions

  • Upgrade Yoast SEO plugin to version 26.6 or later to remediate the IDOR vulnerability in the Meta Search REST API endpoint.
  • If immediate patching is not feasible, restrict Contributor-level user accounts and audit existing Contributor users for suspicious activity.
  • Implement Web Application Firewall (WAF) rules to detect and block anomalous requests to the Meta Search REST API endpoint with unexpected post_id parameters.
  • Review access logs for requests to the Meta Search REST API endpoint from Contributor-level accounts accessing post IDs outside their expected scope.
  • Enable comprehensive logging for REST API access to facilitate detection of unauthorized metadata access attempts.

Evidence notes

Vulnerability confirmed via Wordfence advisory and NVD record. Affected code identified in meta-search-route.php at line 56 in versions 26.4 and trunk. Patch available via GitHub pull request #22797 and committed in WordPress.org changeset 3412286.

Official resources

2026-05-27