CVE-2025-11734 is a vulnerability categorized under CWE-862 (Missing Authorization) found in the Broken Link Checker plugin by AIOSEO for WordPress, affecting all versions up to and including 1.2.5. The plugin exposes a REST API endpoint (/wp-json/aioseoBrokenLinkChecker/v1/post) that allows deletion (trashing) of posts. The flaw lies in the authorization mechanism: the endpoint only verifies if the user has the broad capability 'aioseo_blc_broken_links_page', which is granted to users with contributor-level access or higher, but does not check whether the user has permission to modify the specific post targeted. Consequently, any authenticated user with contributor or higher privileges can delete arbitrary posts, bypassing intended access controls. The vulnerability has a CVSS 3.1 base score of 5.4 (medium severity), with the vector indicating network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact (post deletion), and limited availability impact (loss of posts). This vulnerability can be exploited remotely via the REST API without additional user interaction, making it a significant risk for WordPress sites using this plugin. No patches or known exploits are currently reported, but the risk remains until fixed. The vulnerability primarily affects the integrity and availability of content on affected WordPress sites.

For European organizations, this vulnerability poses a risk to the integrity and availability of website content managed via WordPress using the Broken Link Checker plugin by AIOSEO. Unauthorized deletion of posts can lead to data loss, disruption of web services, and potential reputational damage, especially for organizations relying heavily on their web presence for communication, marketing, or e-commerce. The impact is heightened for organizations with multiple contributors or less restrictive user role management, as contributor-level users can exploit this flaw. Additionally, the loss or tampering of content could affect compliance with data retention policies or regulatory requirements related to information integrity. The vulnerability does not directly impact confidentiality but can indirectly affect trustworthiness and operational continuity. Given the widespread use of WordPress across Europe, especially in sectors like media, education, and small to medium enterprises, the potential impact is significant if exploited.

European organizations should implement the following specific mitigations: 1) Immediately review and restrict contributor-level user permissions to the minimum necessary, ensuring that only trusted users have such access. 2) Disable or restrict access to the vulnerable REST API endpoint by implementing Web Application Firewall (WAF) rules that block DELETE requests to /wp-json/aioseoBrokenLinkChecker/v1/post from unauthorized users. 3) Monitor REST API usage logs for suspicious activity, particularly DELETE requests targeting posts. 4) Apply principle of least privilege in WordPress user role assignments, considering temporarily demoting contributors to lower roles if feasible until a patch is available. 5) Engage with AIOSEO for updates or patches and plan prompt deployment once released. 6) Consider alternative plugins or custom solutions for broken link checking that do not expose such vulnerabilities. 7) Regularly backup WordPress content to enable recovery from unauthorized deletions. These steps go beyond generic advice by focusing on access control tightening, monitoring, and proactive defense specific to this vulnerability.