CVE-2025-11734 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin Broken Link Checker by AIOSEO, versions up to and including 1.2.5. The plugin registers a REST API endpoint (/wp-json/aioseoBrokenLinkChecker/v1/post) intended to allow management of broken links. However, the endpoint only verifies a broad capability (aioseo_blc_broken_links_page) granted to users with contributor-level access or higher, without validating whether the user has permission to modify the specific post targeted by the DELETE request. This authorization oversight enables any authenticated user with contributor or higher privileges to trash arbitrary posts on the WordPress site. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The impact includes unauthorized post deletion, leading to integrity and availability issues on affected websites. The CVSS v3.1 score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required (low), no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. No patches or exploits are currently reported, but the vulnerability presents a significant risk for content management on affected WordPress sites.

For European organizations, this vulnerability can lead to unauthorized deletion of website content, potentially disrupting business operations, damaging reputation, and causing loss of critical information. Organizations relying on WordPress for content management and using the Broken Link Checker plugin are at risk of content tampering by insiders or compromised contributor accounts. This could affect e-commerce sites, news portals, corporate blogs, and government websites, leading to degraded service availability and trustworthiness. The impact is particularly relevant for organizations with multiple contributors or less stringent access controls. While the vulnerability does not expose confidential data directly, the integrity and availability of published content are compromised, which can have downstream effects on customer trust and regulatory compliance, especially under GDPR where data integrity and availability are important. The medium severity score indicates a moderate but actionable risk that should be addressed promptly.

European organizations should immediately audit their WordPress installations to identify the presence of the Broken Link Checker by AIOSEO plugin and its version. If affected, they should upgrade to a patched version once available or temporarily disable the plugin to prevent exploitation. In the absence of an official patch, organizations can implement custom access controls by restricting contributor-level user capabilities or employing a Web Application Firewall (WAF) to block unauthorized REST API DELETE requests to the vulnerable endpoint. Additionally, monitoring REST API usage logs for suspicious DELETE requests targeting posts can help detect exploitation attempts. Organizations should also review user roles and permissions to ensure that contributor accounts are limited and monitored, reducing the risk of insider threats. Regular backups of website content are essential to enable recovery from unauthorized deletions. Finally, applying the principle of least privilege and enforcing multi-factor authentication for all WordPress users can further mitigate exploitation risks.