High severity8.8NVD Advisory· Published Aug 2, 2025· Updated Apr 15, 2026
CVE-2025-6754
CVE-2025-6754
Description
The SEO Metrics plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks in both the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function in all versions up to, and including, 1.0.15. Because the AJAX action only verifies a nonce, without checking the caller’s capabilities, a subscriber-level user can retrieve the token and then access the custom endpoint to obtain full administrator cookies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.0.15
Patches
Vulnerability mechanics
References
7- plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/common-functions.phpnvd
- plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/endpoint.phpnvd
- plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/seo-metrics.phpnvd
- plugins.trac.wordpress.org/browser/seo-metrics-helper/trunk/welcome-page.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/seo-metrics-helper/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/48658b33-ae53-4919-8180-1188f72553f7nvd
News mentions
0No linked articles in our index yet.