Security Alert Summary
The Slim SEO – A Fast & Automated SEO Plugin For WordPress contains an information disclosure vulnerability (CVE-2026-12408) that allows authenticated users with low privileges (for example, Contributor-level accounts) to retrieve AI-generated summaries of raw post content for posts they should not be able to view, including private posts, drafts, pending, future, and password-protected content. The issue is reachable via a plugin REST API endpoint that performs an insufficient permission check.
CVE Details
- CVE ID: CVE-2026-12408
- Affected component: Slim SEO – A Fast & Automated SEO Plugin For WordPress (plugin)
- Affected versions: All versions up to and including 4.9.8
- Published: July 1, 2026 at 8:16:20 AM UTC
- Last modified: July 1, 2026 at 1:56:17 PM UTC
- CVSS v3.1 base score: 4.3 (MEDIUM)
- CVSS v3.1 vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - Authentication / privileges / user interaction: Requires an authenticated user with low privileges (PR:L). User interaction is not required (UI:N). The public network is the attack vector (AV:N).
- Primary impact: Confidentiality: Low; Integrity: None; Availability: None
- CWE / weakness: CWE-200 (Information Exposure)
Technical Details
The vulnerability exists in the plugin’s REST API endpoint /wp-json/slim-seo/meta-tags/ai. The endpoint’s permission_callback performs only a top-level capability check for edit_posts and does not verify whether the requesting user has read access to the specific post identified by the object.ID parameter. As a result, the plugin’s generate function can pass an attacker-controlled post ID to Data::get_post_content(), which calls get_post() without checking post status or ownership.
This allows authenticated users with Contributor-level access and above to retrieve AI-generated summaries derived from the raw post_content of arbitrary posts they are not authorized to view, including private posts, drafts, pending, future, and password-protected content. The exposed content is returned in the HTTP response from the endpoint.
How This Could Impact Your Website
Consider a small editorial team with a site owner, several editors, internal staff contributors, and external freelancers. A contributor or other low-privilege authenticated user could call the plugin REST endpoint and receive AI-generated summaries of content they should not see. That might expose unpublished article drafts, private notes, or other sensitive text authored by different users.
Practical consequences include disclosure of in-progress content that could be used to:
- Leak unpublished business plans, campaigns, or internal discussions.
- Increase the risk of targeted phishing or social engineering against specific authors or staff by revealing topic details or phrasing.
- Complicate trust with external contributors if private drafts are exposed.
If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior related to REST API requests and content access patterns.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.5/src/MetaTags/AI.php#L21
- https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.5/src/MetaTags/AI.php#L55
- https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.5/src/MetaTags/Data.php#L117
- https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.8/src/MetaTags/AI.php#L21
- https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.8/src/MetaTags/AI.php#L55
- https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.8/src/MetaTags/Data.php#L117
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3576523%40slim-seo&new=3576523%40slim-seo&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6e6603a0-8f35-49fb-a517-ba6344538c4d?source=cve