CVE-2025-13085 is an improper authorization vulnerability (CWE-285) found in the SiteSEO – SEO Simplified WordPress plugin developed by Softaculous, affecting all versions up to and including 1.3.2. The root cause is missing object-level authorization checks within the resolve_variables() AJAX handler. This flaw allows authenticated users possessing the siteseo_manage capability—typically users with Author-level privileges who have been granted SiteSEO access by an administrator—to read arbitrary post metadata from any post, page, attachment, or WooCommerce order they do not have edit permissions for. The vulnerability is particularly critical in WooCommerce installations where legacy storage is enabled, as it exposes sensitive customer billing information such as names, email addresses, phone numbers, physical addresses, and payment methods. The attack vector requires network access to the WordPress site and valid authentication with the specific plugin capability but does not require further user interaction. The vulnerability impacts confidentiality by enabling unauthorized data disclosure but does not affect data integrity or availability. No public exploits have been reported yet, and no official patches are currently available, though updates are expected. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the limited scope and required privileges for exploitation. This vulnerability highlights the importance of proper authorization checks in AJAX handlers and the risks posed by granting plugin capabilities to lower-privileged users.

For European organizations using WordPress sites with the SiteSEO – SEO Simplified plugin, particularly those running WooCommerce stores, this vulnerability poses a significant risk to customer data confidentiality. Unauthorized disclosure of sensitive billing information can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial fraud. The exposure of personal identifiable information (PII) such as names, contact details, and payment methods can facilitate identity theft and targeted phishing attacks. Although the vulnerability does not allow data modification or service disruption, the breach of confidentiality alone can have severe legal and operational consequences under European data protection laws. Organizations with multiple authors or contributors granted SiteSEO access are at higher risk, as these users can exploit the flaw without needing elevated administrative privileges. The lack of public exploits reduces immediate risk but does not eliminate the threat, especially from insider threats or targeted attackers with valid credentials.

European organizations should immediately audit and restrict the assignment of the siteseo_manage capability to only highly trusted users, preferably administrators. Disable legacy storage in WooCommerce if not required, as it increases exposure risk. Monitor and log usage of the resolve_variables() AJAX handler to detect unusual access patterns. Implement strict role-based access controls (RBAC) and review plugin permissions regularly. Until an official patch is released, consider temporarily disabling the SiteSEO plugin or removing SiteSEO access from non-administrative users. Employ Web Application Firewalls (WAFs) to monitor and potentially block suspicious AJAX requests targeting the vulnerable handler. Educate site administrators about the risk and encourage prompt application of updates once available. Additionally, conduct privacy impact assessments to evaluate exposure and notify affected customers if data leakage is suspected, in compliance with GDPR requirements.