cleantalk
Vulnerabilities and Security Researches

Yoast SEO, CVE-2025-14481

CVE, Research URL

CVE-2025-14481

Home page URL

Security reports for Yoast SEO

Application

Yoast SEO

Published on
May 27, 2026
Research Description
The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts.
Affected versions
max 26.6.
Status
vulnerable
Previous vulnerability researches
Centangle-Team (CVE-2025-12456) , Nov 11, 2025
Team 118GROUP Agent (CVE-2025-23512) , Jan 21, 2025
Luzuk Team (CVE-2024-51871) , Nov 12, 2024
OS Our Team (CVE-2024-52341) , Nov 12, 2024
Inpersttion For Theme (CVE-2025-8905) , Aug 16, 2025
New vulnerability
WP Search Analytics (CVE-2026-27357) , May 28, 2026
Sheets to WP Table Live Sync – WordPress Table Plugin with Google Sheets Integration (CVE-2026-24582) , May 28, 2026
MasterStudy LMS WordPress Plugin – for Online Courses and Education (CVE-2026-42730) , May 28, 2026
cformsII (CVE-2026-39436) , May 28, 2026
Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP (CVE-2026-24937) , May 28, 2026