CVE-2025-11734
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level permissions or higher to delete arbitrary posts without proper authorization checks. The Broken Link Checker plugin's REST API endpoint fails to verify user permissions for specific posts, enabling post trashing attacks. All WordPress sites using this plugin up to version 1.2.5 are affected.
💻 Affected Systems
- Broken Link Checker by AIOSEO WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious contributor deletes all website content, causing complete data loss and site disruption.
Likely Case
Disgruntled contributor or compromised account deletes selective posts, causing content loss and operational impact.
If Mitigated
With proper user access controls and monitoring, impact limited to minor content disruption.
🎯 Exploit Status
Exploitation requires authenticated access with contributor privileges. Simple HTTP request to vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3390304/broken-link-checker-seo
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Broken Link Checker by AIOSEO'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.6+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
allRemove the vulnerable REST API endpoint registration by modifying plugin code or using filters.
Add to theme's functions.php: remove_action('rest_api_init', 'aioseo_blc_register_rest_routes');
Restrict contributor capabilities
allTemporarily remove contributor ability to use Broken Link Checker features.
Add to theme's functions.php: add_filter('user_has_cap', function($caps) { unset($caps['aioseo_blc_broken_links_page']); return $caps; }, 10, 1);
🧯 If You Can't Patch
- Temporarily deactivate Broken Link Checker plugin until patched version available
- Implement strict user access controls and monitor contributor activity closely
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Broken Link Checker version. If version ≤1.2.5, vulnerable.Check Version:
wp plugin list --name="Broken Link Checker by AIOSEO" --field=versionVerify Fix Applied:
Verify plugin version is 1.2.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST/DELETE requests to /wp-json/aioseoBrokenLinkChecker/v1/post from contributor users
- WordPress audit logs showing unexpected post deletions
Network Indicators:
- HTTP traffic to vulnerable REST endpoint with contributor authentication
SIEM Query:
source="wordpress" AND (uri_path="/wp-json/aioseoBrokenLinkChecker/v1/post" OR action="deleted_post") AND user_role="contributor"