CVE-2025-6754 is a critical privilege escalation vulnerability affecting the SEO Metrics plugin for WordPress, specifically versions 1.0.5 through 1.0.15. The root cause is missing authorization checks in two key components: the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function. While the AJAX handler verifies a nonce to prevent CSRF attacks, it fails to verify the caller's capabilities or user role. This oversight allows a subscriber-level user, who normally has very limited permissions, to retrieve an authentication token. Using this token, the attacker can then access a custom endpoint that exposes full administrator cookies. With these cookies, the attacker can effectively hijack an administrator session, gaining full administrative control over the WordPress site. The vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS v3.1 score of 8.8, indicating a high severity level. The attack vector is network-based (remote), requires low attack complexity, and only requires privileges at the subscriber level, which is often granted to registered users or commenters on WordPress sites. No user interaction is needed beyond the attacker’s own actions. The impact includes full compromise of the WordPress site’s confidentiality, integrity, and availability, as the attacker can execute arbitrary administrative actions, modify content, install backdoors, or disrupt services. No known exploits are reported in the wild yet, but the vulnerability’s nature and ease of exploitation make it a significant risk. No official patches are linked yet, so mitigation relies on immediate protective measures and monitoring.

For European organizations using WordPress sites with the SEO Metrics plugin in the affected versions, this vulnerability poses a severe risk. Many European businesses, government agencies, and NGOs rely on WordPress for their web presence. An attacker exploiting this flaw could gain full administrative access, leading to data breaches involving sensitive customer or internal data, defacement of websites, insertion of malicious code (e.g., malware distribution or phishing pages), and disruption of online services. The breach of administrator cookies can also facilitate lateral movement within the hosting environment or connected systems. Given the GDPR and other stringent data protection regulations in Europe, such a compromise could result in significant regulatory penalties and reputational damage. The vulnerability’s low complexity and lack of required user interaction increase the likelihood of exploitation, especially in environments where subscriber-level accounts are common or where user registration is open. The absence of patches at the time of disclosure further exacerbates the risk, necessitating urgent mitigation steps.

1. Immediate mitigation should include restricting subscriber-level user capabilities wherever possible, limiting the ability to interact with plugin AJAX endpoints. 2. Implement Web Application Firewall (WAF) rules to block or monitor suspicious AJAX requests targeting seo_metrics_handle_connect_button_click() and seo_metrics_handle_custom_endpoint() endpoints. 3. Disable or uninstall the SEO Metrics plugin until an official patch is released. 4. Monitor WordPress logs for unusual activity, especially requests to the affected AJAX handlers and custom endpoints. 5. Enforce strong user registration policies to minimize untrusted subscriber accounts. 6. If feasible, apply custom code patches to add proper authorization checks verifying user capabilities before processing AJAX requests. 7. Regularly update WordPress core and plugins once patches become available. 8. Conduct thorough post-incident reviews and audits to detect any signs of compromise or unauthorized access. 9. Educate site administrators about the risk and signs of exploitation to enable rapid response.