Vulnerabilities and security researches forslim-seo slim-seo
Direction: ascendingJun 12, 2025
Slim SEO – Fast & Automated WordPress SEO Plugin # CVE-2025-4611
- CVE, Research URL
- Date
- May 21, 2025
- Research Description
- The Slim SEO – Fast & Automated WordPress SEO Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slim_seo_breadcrumbs shortcode in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.5.4.
- Status
-
vulnerable
Jun 15, 2026
Slim SEO – Fast & Automated WordPress SEO Plugin # CVE-2025-49854
- CVE, Research URL
- Date
- Jun 17, 2025
- Research Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Anh Tran Slim SEO slim-seo allows SQL Injection.This issue affects Slim SEO: from n/a through <= 4.5.4.
- Affected versions
-
max 4.5.5.
- Status
-
vulnerable
Jun 30, 2026
Slim SEO – Fast & Automated WordPress SEO Plugin # CVE-2026-57429
- CVE, Research URL
- Date
- Jun 25, 2026
- Research Description
- Contributor Broken Access Control in Slim SEO <= 4.6.2 versions.
- Affected versions
-
max 4.7.0.
- Status
-
vulnerable
Jul 02, 2026
Slim SEO – Fast & Automated WordPress SEO Plugin # CVE-2026-12408
- CVE, Research URL
- Date
- Jul 01, 2026
- Research Description
- The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. This is due to the endpoint's `permission_callback` performing only a top-level `edit_posts` capability check without verifying that the requesting user has read access to the specific post supplied via the `object.ID` parameter, allowing the `generate` function to pass the attacker-controlled post ID to `Data::get_post_content()`, which calls `get_post()` regardless of post status or ownership. This makes it possible for authenticated attackers with Contributor-level access and above to retrieve AI-generated summaries of the raw `post_content` of arbitrary posts they are not authorized to view — including private posts, drafts, pending, future, and password-protected content authored by other users — with the substance of the protected content disclosed via the HTTP response.
- Affected versions
-
max 4.9.9.
- Status
-
vulnerable