Primary

Context

Yoast SEO Insecure Direct Object Reference Vulnerability Allowing Sensitive Information Exposure

Vulnerability

Patched

A vulnerability exists in the Yoast SEO plugin for WordPress, affecting all versions up to and including 26.5. This issue is characterized by Insecure Direct Object References (IDOR) due to inadequate authorization checks in the Meta Search REST API endpoint, which fails to validate post ownership. As a result, authenticated attackers with Contributor-level access or higher can access sensitive SEO metadata from any post on the site by using the 'post_id' parameter. This vulnerability extends to posts owned by other users, as well as private and draft posts.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive SEO metadata from any post on the site, including private and draft posts.

Remediation

Users are advised to update the Yoast SEO plugin to version 26.6 or a newer patched version.

Added: May 27, 2026, 5:22 AM

Updated: May 27, 2026, 5:22 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

6.1

remediation

7.7

relevance

9.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

6.1

remediation

7.7

relevance

9.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Yoast SEO Insecure Direct Object Reference Vulnerability Allowing Sensitive Information Exposure

Vulnerability

Impact

Remediation

Affected Products

Yoast SEO

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating