WordPress Plugin Vulnerabilities

SiteSEO < 1.3.2 - Author+ Plugin Settings Update

Description

The plugin is vulnerable to Missing Authorization due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Author-level access and above, to enable or disable arbitrary SiteSEO features that they should not have access to.

Affects Plugins

Plugin icon
siteseo
Fixed in 1.3.2

References

CVE
CVE-2025-12367
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/54535bef-23c3-4045-bb37-ba28ae5461b1

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
a7eb09fe-319e-42bf-add7-4479bff94252

Timeline

Publicly Published
2025-10-31 (about 6 months ago)
Added
2025-10-31 (about 6 months ago)
Last Updated
2025-10-31 (about 6 months ago)

Other

Published
Title
Published
2021-09-29
Title
Stylish Price List < 6.9.1 - Subscriber+ Arbitrary Image Upload
Published
2026-01-12
Title
CP Image Store with Slideshow < 1.2.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Product Import
Published
2025-11-07
Title
Download Manager < 3.3.31 - Unauthenticated Cron Trigger due to Hardcoded Cron Key
Published
2024-07-01
Title
LearnPress – WordPress LMS Plugin < 4.2.6.8.2 - Unauthenticated Bypass to User Registration
Published
2024-01-05
Title
WP Job Manager < 2.1.0 - Unauthenticated Job Status Update