CVE-2025-6754: 
WordPress vulnerability analysis and mitigation

CVE-2025-6754 affects the SEO Metrics plugin for WordPress versions 1.0.5 through 1.0.15. The vulnerability was discovered and reported by Wordfence, with the initial disclosure on August 2, 2025. This security issue impacts WordPress installations with the SEO Metrics plugin installed, particularly affecting the authentication and authorization mechanisms (NVD).

The vulnerability stems from missing authorization checks in two key functions: seometricshandleconnectbuttonclick() AJAX handler and seometricshandlecustom_endpoint() function. The security flaw exists because the AJAX action only verifies a nonce without checking the caller's capabilities. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk (NVD).

The vulnerability allows subscriber-level users to retrieve authentication tokens and subsequently access custom endpoints to obtain full administrator cookies. This effectively enables privilege escalation from a low-privileged subscriber account to administrative access, potentially compromising the entire WordPress installation (NVD).

The plugin has been temporarily closed as of July 30, 2025, pending a full security review. Users are advised to disable and remove the SEO Metrics plugin until a patched version is released (WordPress Plugin).