SEO Flow by LupsOnline WordPress Plugin Missing Capability Check Vulnerability Allowing Unauthenticated Data Modification

Vulnerability

A vulnerability exists in the SEO Flow by LupsOnline plugin for WordPress, in all versions through 2.2.1. The issue arises from a lack of proper capability checks in the checkBlogAuthentication() and checkCategoryAuthentication() functions. These functions only provide basic API key authentication without incorporating WordPress capability checks, enabling unauthenticated attackers to create, modify, and delete blog posts and categories.

Impact

Exploitation of this vulnerability allows for unauthorized creation, modification, and deletion of blog posts and categories.

Added: Feb 4, 2026, 9:27 AM

Updated: Feb 4, 2026, 5:15 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

2.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

2.5

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SEO Flow by LupsOnline WordPress Plugin Missing Capability Check Vulnerability Allowing Unauthenticated Data Modification

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating