CVE-2025-6754 is a high-severity privilege escalation vulnerability affecting the SEO Metrics plugin for WordPress, specifically versions 1.0.5 through 1.0.15. The core issue lies in missing authorization checks within two key components: the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function. These components improperly rely solely on nonce verification without validating the caller's user capabilities. As a result, a user with subscriber-level privileges can exploit this flaw to retrieve an authentication token and subsequently access a custom endpoint. This access allows the attacker to obtain full administrator cookies, effectively escalating their privileges to that of an administrator. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to enforce proper access control. The CVSS v3.1 score of 8.8 reflects the vulnerability's critical impact on confidentiality, integrity, and availability, with an attack vector that is network-based, requires low attack complexity, and only low privileges but no user interaction. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk due to the widespread use of WordPress and the SEO Metrics plugin in website management and digital marketing contexts. Exploitation could lead to full site compromise, data theft, defacement, or further lateral movement within the hosting environment.

For European organizations, this vulnerability poses a substantial threat, especially for those relying on WordPress for their web presence and utilizing the SEO Metrics plugin. Successful exploitation could lead to unauthorized administrative access, enabling attackers to manipulate website content, steal sensitive data including user credentials and cookies, or deploy malicious code such as backdoors or ransomware. This could result in reputational damage, regulatory non-compliance (notably with GDPR due to potential personal data exposure), financial losses, and operational disruptions. Given the importance of digital presence for businesses and public institutions in Europe, the impact extends beyond individual organizations to potentially affect customers and partners. Additionally, compromised websites could be leveraged as platforms for further attacks, including phishing or distribution of malware, amplifying the threat landscape within the region.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations to identify the presence and version of the SEO Metrics plugin. If affected versions (1.0.5 through 1.0.15) are in use, the plugin should be updated to a patched version as soon as it becomes available. In the absence of an official patch, organizations should consider temporarily disabling or uninstalling the plugin to prevent exploitation. Additionally, implementing strict role-based access controls to limit subscriber-level permissions and monitoring AJAX endpoint access logs for unusual activity can help detect and prevent exploitation attempts. Web Application Firewalls (WAFs) can be configured to block suspicious AJAX requests targeting the vulnerable endpoints. Regular security audits and penetration testing focused on authorization checks in plugins are recommended to proactively identify similar issues. Finally, organizations should ensure that all WordPress core and plugins are kept up to date and that security best practices, such as using strong authentication mechanisms and monitoring for anomalous administrative activities, are enforced.