What the vulnerability does
01Description
The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint.
Explanation of Vulnerability in Simple Terms
02Summary
The Broken Link Checker plugin for AIOSEO versions up to 1.2.5 lacks proper authorization checks, allowing authenticated users with low privileges to modify or delete link data they should not access. An attacker with a basic user account can alter the integrity of monitored links or disrupt the plugin's functionality. Update to a version newer than 1.2.5 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Modify or delete link checker data without proper authorization.
Potential impact on your site
04Site Impact
Users with basic accounts can tamper with link monitoring data, affecting site maintenance workflows.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
November 18, 2025
CVE published
April 8, 2026
Record updated