CyberRota
← Ana sayfaya dön

CVE-2026-12408

MEDIUM · CVSS 4.3 EPSS %0.26

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-01T08:16:20.943 · Çekilme zamanı: 2026-07-01T18:36:36.680536+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

CVE
CVE-2026-12408
Severity
MEDIUM
CVSS
4.3
EPSS
%0.26
WordPress

Orijinal NVD Açıklaması

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. This is due to the endpoint's `permission_callback` performing only a top-level `edit_posts` capability check without verifying that the requesting user has read access to the specific post supplied via the `object.ID` parameter, allowing the `generate` function to pass the attacker-controlled post ID to `Data::get_post_content()`, which calls `get_post()` regardless of post status or ownership. This makes it possible for authenticated attackers with Contributor-level access and above to retrieve AI-generated summaries of the raw `post_content` of arbitrary posts they are not authorized to view — including private posts, drafts, pending, future, and password-protected content authored by other users — with the substance of the protected content disclosed via the HTTP response.