CVE-2025-62928 MEDIUM

CVE-2025-62928: WordPress SEO Meta Description Updater plugin <= 1.2.0 - Broken Access Control vulnerability

Vendor Joby Joseph

Product SEO Meta Description Updater

Weakness CWE-862 · Missing authorization

Published October 27, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in Joby Joseph SEO Meta Description Updater seo-meta-description-updater allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEO Meta Description Updater: from n/a through <= 1.2.0.

Explanation of Vulnerability in Simple Terms

02Summary

The SEO Meta Description Updater plugin for WordPress contains a missing authorization flaw that allows authenticated users with low privileges to modify meta descriptions they should not have access to. An attacker with a basic user account can alter SEO metadata on the site without proper permission checks. This affects versions 1.2.0 and earlier.

What an attacker can do

03Attacker Capabilities

Modify SEO meta descriptions on pages or posts without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can alter your site's SEO metadata, potentially damaging search rankings or injecting misleading descriptions.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., Contributor or Subscriber role) on the WordPress site.

Key dates

06Disclosure timeline

October 27, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-62928 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities