WordPress Plugin Vulnerabilities

Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links < 1.2.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Trashing

Description

The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint.

Affects Plugins

Plugin icon
broken-link-checker-seo
Fixed in 1.2.6

References

CVE
CVE-2025-11734
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0254cd1b-f8f6-400e-a48e-81bd553fe8d1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lucas Montes (Nirox)
Verified
No
WPVDB ID
b5ebe62f-daca-4840-add8-11a94749d292

Timeline

Publicly Published
2025-11-17 (about 5 months ago)
Added
2025-11-17 (about 5 months ago)
Last Updated
2025-11-18 (about 5 months ago)

Other

Published
Title
Published
2023-11-14
Title
miniorange otp verification < 4.2.2 - Missing Authorization via dismiss_notice
Published
2026-02-18
Title
Influencer < 1.1.8 - Missing Authorization
Published
2025-10-24
Title
ThemeRain Core <= 1.1.9 - Missing Authorization
Published
2024-04-29
Title
Directorist < 7.9.0 - Missing Authorization
Published
2025-05-22
Title
CryptoCloud - Crypto Payment Gateway < 2.3.2 - Missing Authorization