SecuriTricks - CVE-2025-11734

Description

The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint.

Product(s) Impacted

Vendor	Product	Versions
Aioseop	Broken Link Checker	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	aioseop	broken_link_checker	/	/	/	/	/	wordpress	/	/

References

https://plugins.trac.wordpress.org/changeset/3390304/broken-link-checker-seo

https://www.wordfence.com/threat-intel/vulnerabilities/id/0254cd1b-f8f6-400e-a48e-81bd553fe8d1?source=cve

CVSS Score

5.4 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

View Vector String

Timeline

Published: Nov. 18, 2025, 10:15 a.m.
Last Modified: Nov. 18, 2025, 2:06 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@wordfence.com

CVE-2025-11734