CVE-2025-28997: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in EXEIdeas International's WP AutoKeyword plugin affecting versions through 1.0. The vulnerability was discovered by researcher Hiro (Code016Hiro) on April 25, 2025, and was publicly disclosed on June 5, 2025. This security issue has been assigned CVE-2025-28997 and allows exploitation of incorrectly configured access control security levels (Patchstack).

The vulnerability has been classified as a Broken Access Control issue, falling under the OWASP Top 10 category A1. It received a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability stems from a missing authorization, authentication, or nonce token check in a function that could allow unprivileged users to execute higher privileged actions (Patchstack).

The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited. The vulnerability specifically affects the integrity of the system, as indicated by the CVSS scoring, while confidentiality and availability remain unaffected (Patchstack).

Currently, no official fix is available for this vulnerability. Given the low severity impact, Patchstack has indicated that a virtual patch is unnecessary (Patchstack).