CVE-2025-14481 Overview
CVE-2025-14481 is an Insecure Direct Object Reference (IDOR) vulnerability in the Yoast SEO plugin for WordPress, affecting all versions up to and including 26.5. The flaw resides in the Meta Search REST API endpoint, which fails to verify post ownership before returning SEO metadata. Authenticated users with Contributor-level access or higher can supply an arbitrary post_id parameter to read SEO metadata from any post on the site. The exposed data includes metadata associated with posts owned by other users, private posts, and unpublished drafts. The issue is tracked under CWE-862: Missing Authorization.
Critical Impact
Authenticated Contributor-level attackers can read SEO metadata from any post on a WordPress site, including private and draft content owned by other users.
Affected Products
- Yoast SEO plugin for WordPress, all versions up to and including 26.5
- WordPress sites with Contributor or higher role accounts
- Sites using the Meta Search REST API endpoint exposed by Yoast SEO
Discovery Timeline
- 2026-05-27 - CVE-2025-14481 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2025-14481
Vulnerability Analysis
The vulnerability stems from missing authorization checks in the Meta Search REST API route registered by the Yoast SEO plugin. The endpoint accepts a post_id parameter and returns associated SEO metadata without validating whether the requesting user owns the referenced post or has the WordPress capability to view it. Contributor accounts in WordPress are intended to create and edit only their own posts, and they cannot publish content. This vulnerability breaks that boundary by exposing metadata from arbitrary posts, including drafts and private posts authored by editors or administrators. The exposed metadata may include SEO titles, descriptions, focus keywords, and other indexing-related fields that can disclose unreleased content strategy, embargoed announcements, or sensitive internal information.
Root Cause
The root cause is insufficient authorization logic in the route handler defined in src/routes/meta-search-route.php. The handler resolves the supplied post_id and returns metadata without invoking a capability check such as current_user_can( 'edit_post', $post_id ). The Yoast development team addressed the issue in the pull request resolving the IDOR and in the corresponding plugin changeset.
Attack Vector
Exploitation requires an authenticated session with Contributor-level access or above. The attacker issues an authenticated HTTP request to the Meta Search REST API endpoint and iterates the post_id parameter to enumerate metadata across the site. No user interaction or social engineering is required. Because the attack uses the plugin's intended REST interface, requests appear as normal application traffic and may not trigger generic web application firewall rules. Refer to the Wordfence vulnerability report for additional technical context.
Detection Methods for CVE-2025-14481
Indicators of Compromise
- Repeated authenticated REST API requests to the Yoast Meta Search endpoint with sequentially incrementing post_id values
- REST API access from Contributor-level accounts targeting post_id values associated with private or draft posts
- Unusual volume of /wp-json/ requests originating from low-privilege user sessions
Detection Strategies
- Review WordPress REST API access logs for requests to the Yoast Meta Search route correlated with non-author user IDs
- Hunt for Contributor or Author accounts issuing high-frequency requests against endpoints under /wp-json/yoast/
- Correlate authenticated session activity against post ownership records to identify cross-author metadata access
Monitoring Recommendations
- Enable verbose WordPress REST API logging and forward events to a centralized analytics platform
- Alert on enumeration patterns where a single session accesses metadata for posts not authored by that user
- Track installed plugin versions across managed WordPress sites and flag instances of Yoast SEO at or below version 26.5
How to Mitigate CVE-2025-14481
Immediate Actions Required
- Upgrade the Yoast SEO plugin to a version newer than 26.5 that includes the fix from changeset 3412286
- Audit existing Contributor, Author, and Editor accounts and remove unused or unauthorized accounts
- Review WordPress access logs for prior enumeration of the Meta Search REST endpoint
Patch Information
The Yoast development team resolved the vulnerability in the Yoast SEO pull request 22797 and shipped the fix through plugin changeset 3412286. The fix adds authorization validation to the Meta Search REST route so that callers without the capability to edit the referenced post receive an authorization error instead of metadata. Site administrators should update through the WordPress plugin manager or by deploying the patched plugin archive.
Workarounds
- Restrict Contributor-level account creation and require administrator approval for new low-privilege accounts
- Disable or block the affected Yoast Meta Search REST route at the web server or WAF layer until the patched plugin version is deployed
- Temporarily deactivate the Yoast SEO plugin on sites where untrusted Contributor accounts exist and an upgrade cannot be applied immediately
# Example nginx rule to block the affected REST route until patching
location ~* /wp-json/yoast/v1/meta-search {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
