CVE-2025-6754 Overview
CVE-2025-6754 is a privilege escalation vulnerability in the SEO Metrics plugin for WordPress affecting all versions up to and including 1.0.15. The flaw stems from missing authorization checks [CWE-862] in the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function. The AJAX action validates only a nonce and does not verify caller capabilities. A subscriber-level authenticated user can retrieve a token and then reach the custom endpoint to obtain full administrator cookies. This grants complete control of the affected WordPress site.
Critical Impact
Any authenticated user, including subscribers, can escalate to administrator by chaining the exposed AJAX handler with the custom endpoint to acquire admin session cookies.
Affected Products
- SEO Metrics plugin for WordPress (seo-metrics-helper)
- All versions up to and including 1.0.15
- WordPress sites permitting subscriber-level registration are at greatest risk
Discovery Timeline
- 2025-08-02 - CVE-2025-6754 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-6754
Vulnerability Analysis
The SEO Metrics plugin exposes two server-side entry points that fail to enforce capability checks. The seo_metrics_handle_connect_button_click() AJAX handler is registered for authenticated users and validates a WordPress nonce, but never calls current_user_can() or an equivalent role check. Because any logged-in user, including subscribers, can obtain the required nonce from front-end pages, the handler returns an authentication token to callers who should not receive it.
The second flaw resides in seo_metrics_handle_custom_endpoint(). This endpoint accepts the token issued by the AJAX handler and responds with valid administrator session cookies. Combining the two calls turns a low-privileged account into a site administrator without any social engineering or additional exploitation.
Root Cause
The root cause is Missing Authorization [CWE-862]. Nonce verification protects against Cross-Site Request Forgery but does not confirm that the authenticated caller holds the privileges required for sensitive operations. Token issuance and cookie generation must be gated behind an administrator capability check such as manage_options.
Attack Vector
An attacker registers or logs in as a subscriber on a vulnerable WordPress site. The attacker loads a plugin-rendered page to harvest the nonce, then issues an AJAX request to seo_metrics_handle_connect_button_click() to receive the connect token. The attacker submits the token to the custom endpoint, which returns administrator cookies. The attacker sets those cookies in a browser session and gains full administrative control, enabling arbitrary plugin installation, code execution through theme or plugin editors, and persistence.
A proof-of-concept for this vulnerability is not publicly available in verified sources. Refer to the Wordfence Vulnerability Analysis and the plugin source in common-functions.php and endpoint.php for technical details.
Detection Methods for CVE-2025-6754
Indicators of Compromise
- Unexpected AJAX requests to admin-ajax.php with the action parameter tied to seo_metrics_handle_connect_button_click originating from subscriber accounts.
- HTTP responses from the plugin's custom endpoint containing wordpress_logged_in_ cookie values delivered to non-administrator sessions.
- Sudden role changes, new administrator accounts, or newly installed plugins following requests to the SEO Metrics endpoints.
- Web server access logs showing subscriber IPs accessing plugin URIs under /wp-content/plugins/seo-metrics-helper/.
Detection Strategies
- Enable WordPress audit logging to record user role changes, plugin installations, and administrator logins.
- Alert on subscriber or contributor accounts issuing POST requests to plugin AJAX actions that return authentication tokens.
- Correlate low-privileged authentication events with subsequent administrator-context actions from the same client IP or user agent.
- Deploy a Web Application Firewall (WAF) rule to inspect requests targeting the vulnerable plugin actions.
Monitoring Recommendations
- Monitor wp_users and wp_usermeta tables for unauthorized wp_capabilities changes and new administrator accounts.
- Track outbound cookie issuance for the wordpress_logged_in_* and wordpress_sec_* values that do not match the expected authenticated user.
- Review the WordPress plugin directory for unexpected file modifications and new PHP files consistent with post-exploitation web shells.
How to Mitigate CVE-2025-6754
Immediate Actions Required
- Update the SEO Metrics plugin to a version later than 1.0.15 where the maintainer has added capability checks, or deactivate and remove the plugin until a patched release is confirmed.
- Audit existing WordPress user accounts and remove any unauthorized administrator or elevated-role accounts created recently.
- Force a password reset and session invalidation for all administrator accounts to revoke any stolen cookies.
- Rotate WordPress salts in wp-config.php to invalidate previously issued authentication cookies.
Patch Information
Review the plugin change history at the WordPress Plugin Change Set and the WordPress Plugin Developer Info page for the fixed release. Confirm that the updated plugin adds current_user_can() capability checks in seo_metrics_handle_connect_button_click() and seo_metrics_handle_custom_endpoint().
Workarounds
- Disable open user registration in WordPress general settings to prevent unauthenticated attackers from acquiring subscriber accounts.
- Restrict access to admin-ajax.php for low-privileged roles through a WAF rule until the plugin is patched.
- Remove the SEO Metrics plugin entirely if patching is not feasible.
- Restrict administrative dashboard access by source IP where operationally viable.
# Rotate WordPress salts to invalidate all authentication cookies
# Fetch fresh salts and replace the block in wp-config.php
curl -s https://api.wordpress.org/secret-key/1.1/salt/
# Force logout of all users via WP-CLI
wp user session destroy --all --all-users
# Remove the vulnerable plugin
wp plugin deactivate seo-metrics-helper
wp plugin delete seo-metrics-helper
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

