Unauthorized Private Content Disclosure in Slim SEO Plugin for WordPress
CVE-2026-12408

4.3MEDIUM

What is CVE-2026-12408?

The Slim SEO Plugin for WordPress exposes a vulnerability that allows authenticated attackers with Contributor-level access and above to exploit the /wp-json/slim-seo/meta-tags/ai REST API endpoint. This issue arises from insufficient permission checks, permitting these attackers to retrieve AI-generated summaries of private content, drafts, pending, and password-protected posts belonging to other users. The insecure implementation allows unauthorized access to sensitive information, making it crucial for users to be aware and take preventive action.

Affected Version(s)

Slim SEO – A Fast & Automated SEO Plugin For WordPress 0 <= 4.9.8

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Abu Hurayra (HurayraIIT)
.