CVE-2025-11734 MEDIUM

CVE-2025-11734: Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links <= 1.2.5 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Trashing

Vendor Aioseo
Product Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links
Weakness CWE-862 · Missing authorization
Published November 18, 2025
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint.

Explanation of Vulnerability in Simple Terms

02Summary

The Broken Link Checker plugin for AIOSEO versions up to 1.2.5 lacks proper authorization checks, allowing authenticated users with low privileges to modify or delete link data they should not access. An attacker with a basic user account can alter the integrity of monitored links or disrupt the plugin's functionality. Update to a version newer than 1.2.5 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Modify or delete link checker data without proper authorization.

Potential impact on your site

04Site Impact

Users with basic accounts can tamper with link monitoring data, affecting site maintenance workflows.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the site.

Key dates

06Disclosure timeline

November 18, 2025 CVE published
April 8, 2026 Record updated