CVE-2025-6754 is a critical privilege escalation vulnerability identified in the SEO Metrics plugin for WordPress, affecting versions 1.0.5 through 1.0.15. The root cause is a missing authorization check (CWE-862) in two functions: seo_metrics_handle_connect_button_click() and seo_metrics_handle_custom_endpoint(). These functions handle AJAX requests and custom endpoints but only verify a nonce without validating the caller's user capabilities. As a result, a user with minimal privileges (subscriber role) can exploit the vulnerability by triggering the AJAX handler to retrieve a sensitive token. This token can then be used to access the custom endpoint, which returns administrator cookies. Possession of these cookies enables the attacker to hijack admin sessions, gaining full administrative control over the WordPress site. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N). The attack complexity is low (AC:L), and only low privileges are needed (PR:L). The vulnerability affects confidentiality, integrity, and availability (C:H/I:H/A:H) of the site, as an attacker can fully compromise the system. Although no public exploits are reported yet, the high CVSS score of 8.8 reflects the severe risk posed. The vulnerability was reserved on June 26, 2025, and published on August 2, 2025. No official patches have been linked yet, increasing the urgency for mitigation.

The impact of CVE-2025-6754 is severe for organizations using the SEO Metrics WordPress plugin. An attacker with subscriber-level access can escalate privileges to administrator, enabling full control over the affected WordPress site. This includes the ability to modify site content, install malicious plugins or backdoors, steal sensitive data, and disrupt site availability. The compromise of administrator cookies can lead to persistent access and lateral movement within the hosting environment. For organizations relying on WordPress for business-critical websites, this can result in data breaches, reputational damage, financial loss, and regulatory non-compliance. Given WordPress's widespread use globally, the vulnerability poses a significant risk to small and medium businesses, enterprises, and managed service providers. The lack of authentication checks in AJAX handlers is a common attack vector, making this vulnerability attractive to attackers seeking easy privilege escalation paths.

To mitigate CVE-2025-6754, organizations should immediately audit their WordPress installations to identify the presence of the SEO Metrics plugin versions 1.0.5 through 1.0.15. Until an official patch is released, the following specific actions are recommended: 1) Disable or uninstall the SEO Metrics plugin to eliminate the attack surface. 2) Implement Web Application Firewall (WAF) rules to block or monitor AJAX requests targeting the vulnerable endpoints, especially from subscriber roles. 3) Restrict user roles and permissions to minimize subscriber accounts and monitor for unusual privilege escalation attempts. 4) Employ security plugins that can detect anomalous cookie usage or session hijacking. 5) Regularly review WordPress logs for suspicious AJAX activity or unauthorized access attempts. 6) Once a patch is available, apply it promptly and verify that authorization checks are properly enforced in the plugin code. 7) Educate administrators on the risks of privilege escalation vulnerabilities and enforce strong authentication and session management practices.