CVE-2025-28997

Vulnerability

The WP AutoKeyword plugin for WordPress (version 1.0 and earlier) contains a Missing Authorization vulnerability [CVE-2025-28997]. The plugin fails to properly enforce access control checks on certain administrative functions, allowing requests without valid authentication to trigger actions that should require elevated privileges. The plugin is designed to automatically suggest and generate meta keywords for published posts, and the vulnerable endpoint is reachable from the default installation without any special configuration requirements.

Exploitation

An attacker with network access to a WordPress site running WP AutoKeyword version 1.0 can exploit this vulnerability by sending crafted HTTP requests to the affected plugin endpoints. The attacker does not need a valid user account or any prior authentication. No user interaction is required beyond the site being publicly accessible. The exploitation is straightforward: sending a specially crafted request triggers the vulnerable functionality without authorization checks.

Impact

Successful exploitation allows an attacker to improperly access or manipulate plugin features that should be restricted to authenticated administrators. This can lead to unauthorized modification of keyword data, potential disclosure of internal plugin state, or disruption of normal plugin operations. The impact is limited to the functionality exposed by the plugin, and does not directly lead to full site compromise, but it does violate the intended access control model.

Mitigation

The vendor, EXEIdeas International, has not released a patched version as of the publication date (2025-06-06). Users should disable the plugin until a fix is available. No workaround details have been provided in the available references [1]. The plugin is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.