Overview
CVE-2025-11734 is a medium-severity vulnerability affecting the “Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links” plugin for WordPress, specifically versions up to and including 1.2.5. This vulnerability allows authenticated attackers with contributor-level access or higher to trash arbitrary posts without proper authorization checks. By exploiting this flaw, a malicious contributor can effectively delete any post on the WordPress site, regardless of their intended privileges.
Technical Details
The root cause of this vulnerability lies in the plugin’s implementation of a REST API endpoint. The /wp-json/aioseoBrokenLinkChecker/v1/post endpoint, intended for managing post-related broken link checks, is insufficiently protected. Instead of verifying if a user has the explicit permission to delete a *specific* post, it only checks for the broad aioseo_blc_broken_links_page capability. This capability is granted even to contributor-level users. Consequently, any user with contributor access can send a DELETE request to this endpoint with the ID of any post on the site, resulting in its deletion (moving it to the trash). The plugin fails to properly validate if the contributor is authorized to modify that particular post. The lack of granular permission checking allows for unauthorized post modification.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-11734 is 5.4 (Medium). This score reflects the following characteristics:
- Attack Vector (AV): Network (N) – The attack can be launched remotely over a network.
- Attack Complexity (AC): Low (L) – Exploitation requires little specialized knowledge or access.
- Privileges Required (PR): Low (L) – The attacker needs only low-level privileges (contributor access) to exploit the vulnerability.
- User Interaction (UI): None (N) – No user interaction is required for the attack to succeed.
- Scope (S): Unchanged (U) – The vulnerability affects only the Broken Link Checker Plugin.
- Confidentiality Impact (C): None (N) – The attack doesn’t compromise the confidentiality of data.
- Integrity Impact (I): Low (L) – The integrity of the website is affected as content (posts) can be deleted.
- Availability Impact (A): None (N) – The availability of the site isn’t directly impacted, although content is removed.
Possible Impact
The exploitation of CVE-2025-11734 can lead to several negative consequences:
- Data Loss: Important blog posts, articles, or pages can be deleted, leading to information loss.
- Website Defacement: A malicious contributor can effectively “deface” the website by removing critical content.
- SEO Impact: Deleting important content can negatively impact the website’s search engine rankings.
- Reputational Damage: Unexplained content removal can damage the website’s credibility and reputation.
Mitigation or Patch Steps
The recommended mitigation is to update the “Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links” plugin to the latest version. The vulnerability is patched in versions greater than 1.2.5. Update the plugin directly from your WordPress dashboard.
- Log in to your WordPress administration panel.
- Navigate to the “Plugins” section.
- Locate the “Broken Link Checker by AIOSEO” plugin.
- If an update is available, click the “Update Now” button.
- Verify that the updated version is higher than 1.2.5.
References
- CVE ID: CVE-2025-11734
- WordPress Trac Changeset: Broken Link Checker Patch
- Wordfence Threat Intelligence: Wordfence Analysis of CVE-2025-11734
