Insecure Direct Object Reference in Yoast SEO Plugin for WordPress
CVE-2025-14481

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Yoast Seo – Advanced Seo With Real-time Guidance And Built-in Ai
Vendor: CVE Published:; 27 May 2026

What is CVE-2025-14481?

The Yoast SEO plugin for WordPress suffers from vulnerabilities related to Insecure Direct Object References (IDOR). This issue arises from inadequate authorization checks within the Meta Search REST API endpoint, allowing authenticated users with Contributor-level access and above to improperly access sensitive SEO metadata associated with posts. Attackers could exploit this vulnerability to retrieve metadata from any post on the site using the 'post_id' parameter, including those belonging to other users and even private and draft posts. Site owners should be aware of this security risk and take necessary steps to safeguard their content.

Affected Version(s)

Yoast SEO – Advanced SEO with real-time guidance and built-in AI 0 <= 26.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wordpress-seo/...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Dec 10, 2025

Credit

NumeX

CVE-2025-14481 Data

JSON