🔐 CVE Alert

CVE-2026-12408

MEDIUM 4.3

Slim SEO <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Content Disclosure via 'object.ID' Parameter

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. This is due to the endpoint's `permission_callback` performing only a top-level `edit_posts` capability check without verifying that the requesting user has read access to the specific post supplied via the `object.ID` parameter, allowing the `generate` function to pass the attacker-controlled post ID to `Data::get_post_content()`, which calls `get_post()` regardless of post status or ownership. This makes it possible for authenticated attackers with Contributor-level access and above to retrieve AI-generated summaries of the raw `post_content` of arbitrary posts they are not authorized to view — including private posts, drafts, pending, future, and password-protected content authored by other users — with the substance of the protected content disclosed via the HTTP response.

CWE CWE-200
Vendor rilwis
Product slim seo – a fast & automated seo plugin for wordpress
Published Jul 1, 2026
Stay Ahead of the Next One

Get instant alerts for rilwis slim seo – a fast & automated seo plugin for wordpress

Be the first to know when new medium vulnerabilities affecting rilwis slim seo – a fast & automated seo plugin for wordpress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

rilwis / Slim SEO – A Fast & Automated SEO Plugin For WordPress
0 ≤ 4.9.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/6e6603a0-8f35-49fb-a517-ba6344538c4d?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.8/src/MetaTags/AI.php#L55 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.8/src/MetaTags/AI.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.8/src/MetaTags/Data.php#L117 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.5/src/MetaTags/AI.php#L55 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.5/src/MetaTags/AI.php#L21 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.5/src/MetaTags/Data.php#L117 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3576523%40slim-seo&new=3576523%40slim-seo&sfp_email=&sfph_mail=

Credits

Abu Hurayra (HurayraIIT)