A high-severity vulnerability has been discovered in the SEO Metrics plugin for WordPress, identified as CVE-2025-6754. This flaw allows any authenticated user, regardless of their permission level, to gain administrative privileges on the affected website. Successful exploitation could lead to a complete site takeover, allowing an attacker to steal data, deface the website, or distribute malware to visitors.

The vulnerability is a Privilege Escalation due to missing capability or authorization checks on two separate functions within the plugin. The seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function both fail to verify that the user making the request has sufficient permissions to perform administrative actions. An attacker with a low-privileged account, such as a 'subscriber', can send a specially crafted request to these functions to execute privileged operations, including elevating their own account to an administrator role.

This is a High severity vulnerability with a CVSS score of 8.8. Exploitation could lead to a complete compromise of the organization's WordPress website, resulting in significant business impact. Potential consequences include theft of sensitive customer or user data, financial loss, reputational damage from website defacement, and the use of the compromised website to host phishing campaigns or distribute malware. A site compromise could also lead to SEO penalties from search engines and a loss of customer trust.

Immediate Action: The primary remediation is to update the SEO Metrics plugin to the latest secure version provided by the vendor, which contains patches for this vulnerability. If the plugin is not critical to business operations, an alternative and highly effective measure is to deactivate and completely remove the plugin from the WordPress installation to eliminate the attack surface. After applying the patch, review all administrator-level accounts for any signs of unauthorized creation or modification.

Proactive Monitoring: Security teams should monitor web server and application logs for suspicious activity. Specifically, look for an unusual volume of POST requests to /wp-admin/admin-ajax.php with the actions seo_metrics_handle_connect_button_click or seo_metrics_handle_custom_endpoint, especially if originating from low-privileged users. Monitor for unexpected user privilege escalations or the creation of new administrative accounts in WordPress audit logs.

Compensating Controls: If immediate patching is not feasible, a Web Application Firewall (WAF) can be configured with rules to block or alert on requests targeting the vulnerable AJAX actions. Additionally, enforcing the principle of least privilege by disabling public user registration and regularly auditing existing user accounts can help reduce the risk of initial access by an attacker.

Public Exploit Available: false

Given the High severity (CVSS 8.8) of this vulnerability and the low complexity required for exploitation, we recommend immediate and urgent action. All organizations using the SEO Metrics plugin for WordPress must prioritize applying the vendor-supplied patch. If the plugin is not essential, the most secure course of action is to remove it entirely. Due to the high likelihood of future exploitation, proactive monitoring and a swift remediation response are critical to preventing a full compromise of the web application.