{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6754", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-26T21:57:29.753Z", "datePublished": "2025-08-02T07:24:20.355Z", "dateUpdated": "2026-04-08T16:50:12.289Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:12.289Z"}, "affected": [{"vendor": "seometricsplugin", "product": "SEO Metrics", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SEO Metrics plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks in both the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function in all versions up to, and including, 1.0.15. Because the AJAX action only verifies a nonce, without checking the caller\u2019s capabilities, a subscriber-level user can retrieve the token and then access the custom endpoint to obtain full administrator cookies."}], "title": "SEO Metrics <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48658b33-ae53-4919-8180-1188f72553f7?source=cve"}, {"url": "https://wordpress.org/plugins/seo-metrics-helper/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/endpoint.php"}, {"url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/common-functions.php"}, {"url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/seo-metrics.php"}, {"url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/welcome-page.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3343566%40seo-metrics-helper&new=3343566%40seo-metrics-helper"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-08-01T18:49:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-04T14:12:38.262508Z", "id": "CVE-2025-6754", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T14:12:45.211Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6754", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-04T14:12:38.262508Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T14:12:42.409Z"}}], "cna": {"title": "SEO Metrics <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "seometricsplugin", "product": "SEO Metrics", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-01T18:49:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48658b33-ae53-4919-8180-1188f72553f7?source=cve"}, {"url": "https://wordpress.org/plugins/seo-metrics-helper/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/endpoint.php"}, {"url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/common-functions.php"}, {"url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/seo-metrics.php"}, {"url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/welcome-page.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3343566%40seo-metrics-helper&new=3343566%40seo-metrics-helper"}], "descriptions": [{"lang": "en", "value": "The SEO Metrics plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks in both the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function in all versions up to, and including, 1.0.15. Because the AJAX action only verifies a nonce, without checking the caller\u2019s capabilities, a subscriber-level user can retrieve the token and then access the custom endpoint to obtain full administrator cookies."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:12.289Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6754", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:50:12.289Z", "dateReserved": "2025-06-26T21:57:29.753Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-02T07:24:20.355Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SEO Metrics plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks in both the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function in all versions up to, and including, 1.0.15. Because the AJAX action only verifies a nonce, without checking the caller\u2019s capabilities, a subscriber-level user can retrieve the token and then access the custom endpoint to obtain full administrator cookies."}, {"lang": "es", "value": "El complemento SEO Metrics para WordPress es vulnerable a la escalada de privilegios debido a la falta de comprobaciones de autorizaci\u00f3n tanto en el controlador AJAX seo_metrics_handle_connect_button_click() como en la funci\u00f3n seo_metrics_handle_custom_endpoint() en las versiones 1.0.5 a 1.0.15. Dado que la acci\u00f3n AJAX solo verifica un nonce, sin comprobar las capacidades del emisor, un usuario de nivel suscriptor puede recuperar el token y acceder al endpoint personalizado para obtener cookies de administrador completas."}], "id": "CVE-2025-6754", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-02T08:15:26.653", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/common-functions.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/endpoint.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/seo-metrics.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/welcome-page.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3343566%40seo-metrics-helper&new=3343566%40seo-metrics-helper"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/seo-metrics-helper/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48658b33-ae53-4919-8180-1188f72553f7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:58:31.496769+00:00", "value": {"mitigation_remediation": ["Upgrade the SEO Metrics plugin to the latest available version (1.0.16 or higher) which contains proper capability checks for both the AJAX handler and the custom endpoint.", "If an immediate upgrade is not possible, disable or remove the affected AJAX routes and custom endpoint code to eliminate the escalation path.", "Configure WordPress role\u2011based access controls or a security plugin to ensure that any AJAX actions requiring administrative privileges are strictly limited to administrator users only, thereby preventing lower\u2011privileged accounts from triggering the vulnerable flows."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin \"SEO Metrics\" in all releases numbered 1.0.15 or lower. Users installing these versions on any WordPress installation are at risk. No other products or vendor releases are listed as impacted.", "description_and_impact": "The SEO Metrics plugin for WordPress suffers from missing authorization checks in two critical code paths: the AJAX handler seo_metrics_handle_connect_button_click() and the seo_metrics_handle_custom_endpoint() function. In all versions up to and including 1.0.15, a subscriber\u2011level user can request a nonce\u2011protected AJAX action, capture the returned token, and then call the custom endpoint, which blindly issues the full administrator\u2011mode cookie set. The result is that an authenticated user with the lowest privilege can acquire administrative credentials and gain unrestricted control over the site, representing a severe authority escalation flaw. The weakness is identified as a missing authorization check (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 8.8 classifies this flaw as Critical, and the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, implying no confirmed public exploits yet. The flaw requires only a valid subscriber account, which is a common role on WordPress sites, widening the attack surface. An attacker with a subscriber account can exploit the AJAX handler to obtain a token and call the custom endpoint to receive administrator cookies. This demonstrates a local privilege escalation without the need for additional external attacks."}}}}, "created": "2025-08-04T08:49:34.647049+00:00", "updated": "2026-04-22T01:00:04.370986+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}