CVE-2025-15285

HIGH 7.5

SEO Flow by LupsOnline <= 2.2.1 - Unauthenticated Arbitrary Post/Category Modification

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories.

CWE	CWE-862
Vendor	lupsonline
Product	seo flow by lupsonline
Published	Feb 4, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for lupsonline seo flow by lupsonline

Be the first to know when new high vulnerabilities affecting lupsonline seo flow by lupsonline are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

lupsonline / SEO Flow by LupsOnline

0 ≤ 2.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/526837cc-ed1d-4d3d-8f75-a2098445dd1d?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/lupsonline-link-netwerk/tags/2.2.1/includes/class-linknetwerk-api.php?marks=83-99,101-117#L83 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?old_path=/lupsonline-link-netwerk/tags/2.2.1&new_path=/lupsonline-link-netwerk/tags/3.0.1&sfp_email=&sfph_mail=

Credits

Tarcísio Luchesi De Almeida Silva