The SEO Flow WordPress plugin contains an unauthorized data modification vulnerability that allows low-privileged users to alter blog and category settings due to missing security checks.

The vulnerability stems from a missing capability check in the 'checkBlogAuthentication()' and 'checkCategoryAuthentication()' functions. This allows an authenticated attacker, even with low-level permissions (like a subscriber), to modify site data they should not have access to.

Unauthorized modification of SEO settings and blog data can lead to search engine de-indexing, site defacement, or the injection of malicious links. With a CVSS score of 7.5, this represents a significant risk to the integrity of the website's content and its public reputation.

Immediate Action: Update the SEO Flow by LupsOnline plugin to the latest version immediately. If an update is unavailable, restrict user registration and review existing user permissions.

Proactive Monitoring: Review the site's audit logs for changes to SEO settings or category metadata made by non-administrative users.

Compensating Controls: Implement a security plugin that monitors for and blocks unauthorized changes to critical WordPress settings.

Public Exploit Available: false

To maintain the integrity of your website's SEO and content structure, this vulnerability must be addressed promptly. Apply the latest plugin update and ensure that only trusted individuals have any level of authenticated access to the site.