CVE-2025-6754
BaseFortify
Publication date: 2025-08-02
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | seo_metrics | 1.0.5 |
| wordpress | seo_metrics | 1.0.6 |
| wordpress | seo_metrics | 1.0.9 |
| wordpress | seo_metrics | 1.0.7 |
| wordpress | seo_metrics | 1.0.10 |
| wordpress | seo_metrics | 1.0.13 |
| wordpress | seo_metrics | 1.0.14 |
| wordpress | seo_metrics | 1.0.11 |
| wordpress | seo_metrics | 1.0.15 |
| wordpress | seo_metrics | 1.0.8 |
| wordpress | seo_metrics | 1.0.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the SEO Metrics WordPress plugin allows a subscriber-level user to escalate their privileges due to missing authorization checks. Specifically, the AJAX handler seo_metrics_handle_connect_button_click() only verifies a nonce but does not check the user's capabilities. This flaw enables a low-privileged user to retrieve a token and then use the seo_metrics_handle_custom_endpoint() function to access full administrator cookies, effectively gaining administrator-level access.
How can this vulnerability impact me? :
The vulnerability can lead to a subscriber-level user obtaining administrator cookies, which allows them to perform actions with full administrator privileges. This can result in unauthorized access to sensitive site settings, data manipulation, installation of malicious code, or complete takeover of the WordPress site.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring AJAX requests to the SEO Metrics plugin endpoints, specifically looking for calls to seo_metrics_handle_connect_button_click() and seo_metrics_handle_custom_endpoint() without proper authorization. Network monitoring tools can be used to inspect AJAX requests containing the nonce but originating from subscriber-level users. Commands to detect suspicious activity might include using curl or wget to test the endpoints with subscriber credentials, for example: curl -X POST -d 'action=seo_metrics_handle_connect_button_click&nonce=...' https://yourwordpresssite.com/wp-admin/admin-ajax.php --cookie 'wordpress_logged_in_subscriber=...' Additionally, reviewing WordPress logs for unusual access patterns to these AJAX handlers or custom endpoints by low-privilege users can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the SEO Metrics plugin to a version later than 1.0.15 where the authorization checks are properly implemented. If an update is not yet available, temporarily disabling the plugin will prevent exploitation. Additionally, restricting access to the AJAX handlers and custom endpoints by adding capability checks or blocking subscriber-level users from accessing these endpoints can mitigate risk. Monitoring and revoking any suspicious tokens or sessions that may have been compromised is also recommended. [1]