CVE-2025-28997 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin WP AutoKeyword developed by EXEIdeas International. This vulnerability arises due to improperly configured access control mechanisms within the plugin, allowing unauthorized users to perform actions that should require authorization. Specifically, the flaw enables exploitation of incorrect access control security levels, meaning that certain functionalities or resources within the plugin can be accessed or manipulated without proper permission checks. The CVSS v3.1 base score is 5.3, indicating a medium severity level. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N shows that the vulnerability can be exploited remotely over the network without any privileges or user interaction, impacting the integrity of the system but not confidentiality or availability. The affected versions are not explicitly enumerated but include versions up to 1.0. No patches or fixes have been published yet, and there are no known exploits in the wild at the time of reporting. The vulnerability could allow attackers to modify or inject unauthorized keywords or metadata into WordPress sites using this plugin, potentially affecting site content integrity and SEO configurations. Since the vulnerability does not require authentication or user interaction, it poses a risk to any WordPress site using the vulnerable plugin, especially those with public-facing interfaces.

For European organizations, the impact of this vulnerability can be significant depending on the reliance on the WP AutoKeyword plugin for content management and SEO optimization. Unauthorized modification of keywords or metadata can lead to integrity issues, such as defacement or manipulation of site content, which could damage brand reputation and trust. In regulated sectors like finance, healthcare, or government, unauthorized content changes could also lead to compliance violations if misleading or harmful information is introduced. Although the vulnerability does not directly compromise confidentiality or availability, the integrity impact can indirectly affect business operations and user trust. Additionally, attackers could leverage this vulnerability as a foothold for further attacks or to inject malicious SEO content that could harm search engine rankings or redirect users to malicious sites. The lack of required authentication and user interaction increases the risk of automated exploitation attempts, which could lead to widespread impact if the plugin is widely deployed in European WordPress sites.

Given the absence of an official patch, European organizations should take immediate steps to mitigate risk. First, conduct an inventory to identify all WordPress instances using the WP AutoKeyword plugin. If feasible, temporarily disable or uninstall the plugin until a security update is available. Restrict access to WordPress administrative interfaces using IP whitelisting or VPNs to limit exposure. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the plugin’s endpoints or parameters associated with keyword management. Monitor logs for unusual activity related to the plugin, such as unexpected POST requests or changes to keyword metadata. Educate site administrators about the vulnerability and encourage prompt updates once a patch is released. Additionally, consider alternative SEO keyword management plugins with a stronger security track record as a longer-term solution. Regular backups of site content and configurations should be maintained to enable quick restoration in case of compromise.