CVE Catalog

CVE-2026-12408

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

The Slim SEO plugin for WordPress up to version 4.9.8 contains a vulnerability allowing unauthorized disclosure of private content. The issue is in the REST API endpoint `/wp-json/slim-seo/meta-tags/ai`, which does not properly verify user permissions to read a specific post, enabling authenticated attackers with Contributor-level access or higher to retrieve summaries of any post's content, including private, draft, pending, future, and password-protected posts.

Risk Assessment

The organization is at risk of leaking confidential content such as unpublished articles, drafts, or password-protected posts, potentially leading to data confidentiality breaches and loss of user trust.

Recommendation

Immediately update the Slim SEO plugin to the latest available version that fixes this vulnerability. As a temporary workaround, disable the REST API endpoint `/wp-json/slim-seo/meta-tags/ai` via firewall rules or .htaccess modifications until the update is applied.

Original NVD description (English source)

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. This is due to the endpoint's `permission_callback` performing only a top-level `edit_posts` capability check without verifying that the requesting user has read access to the specific post supplied via the `object.ID` parameter, allowing the `generate` function to pass the attacker-controlled post ID to `Data::get_post_content()`, which calls `get_post()` regardless of post status or ownership. This makes it possible for authenticated attackers with Contributor-level access and above to retrieve AI-generated summaries of the raw `post_content` of arbitrary posts they are not authorized to view — including private posts, drafts, pending, future, and password-protected content authored by other users — with the substance of the protected content disclosed via the HTTP response.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS