The vulnerability identified as CVE-2025-11734 affects the Broken Link Checker plugin by AIOSEO for WordPress, versions up to and including 1.2.5. The root cause is a missing authorization check in a REST API endpoint (/wp-json/aioseoBrokenLinkChecker/v1/post) that allows authenticated users with contributor-level permissions or higher to delete (trash) arbitrary posts. The plugin verifies only a broad capability (aioseo_blc_broken_links_page) which contributors possess, but fails to verify if the user has permission to modify the specific post targeted by the DELETE request. This CWE-862 (Missing Authorization) vulnerability enables privilege escalation within the scope of contributor-level access, permitting unauthorized post modification. The CVSS 3.1 score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting integrity and availability. Although no exploits are currently known in the wild, the vulnerability could be leveraged by malicious insiders or compromised contributor accounts to disrupt content integrity or availability on affected WordPress sites. The vulnerability affects all plugin versions up to 1.2.5, with no patch links currently available, emphasizing the need for immediate mitigation.

This vulnerability can lead to unauthorized deletion (trashing) of posts by users who should not have such permissions, undermining content integrity and availability on affected WordPress sites. Organizations relying on the Broken Link Checker plugin may face content loss or disruption, impacting website reliability and user trust. Since contributor-level users are commonly assigned to content creators or editors, a compromised or malicious contributor account could exploit this flaw to delete critical posts or disrupt site operations. This can affect businesses, media outlets, educational institutions, and any entity using WordPress with this plugin. The impact is particularly significant for sites with multiple contributors and less stringent user management policies. Although confidentiality is not directly impacted, the integrity and availability of content are at risk, potentially causing reputational damage and operational downtime.

Organizations should immediately audit user roles and permissions, restricting contributor-level access to trusted users only. Until an official patch is released, consider disabling or uninstalling the Broken Link Checker plugin if contributor-level users exist. Implement additional access controls or custom authorization checks on the REST API endpoints via WordPress hooks or security plugins to enforce post-level permissions. Monitor logs for suspicious DELETE requests to the affected endpoint. Regularly update the plugin once a patch becomes available. Employ the principle of least privilege for user roles and consider multi-factor authentication to reduce the risk of compromised contributor accounts. Additionally, maintain regular backups of WordPress content to enable recovery from unauthorized deletions.