CVE-2025-14386
Published: 28 January 2026
Summary
CVE-2025-14386 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to information and system resources, directly addressing the missing capability checks in the plugin's generate_sso_url and validate_sso_token functions.
Employs least privilege to restrict Subscriber-level users from performing unauthorized actions like extracting admin nonce_tokens for privilege escalation.
Requires timely identification, reporting, and correction of flaws such as the authentication bypass due to missing authorization in the vulnerable plugin versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass due to missing capability checks, allowing low-privileged (Subscriber) authenticated users to extract an admin authentication token and gain administrator access, directly enabling exploitation for privilege escalation.
NVD Description
The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to…
more
2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account.
Deeper analysisAI
CVE-2025-14386 is an authentication bypass vulnerability in the Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization for WordPress, affecting versions 2.4.4 through 2.5.12. The issue arises from a missing capability check in the 'generate_sso_url' and 'validate_sso_token' functions within the plugin's admin component, classified as CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the unprotected functions, they can extract the 'nonce_token' authentication value, enabling them to log in directly to the site's first Administrator account and gain elevated privileges.
Advisories reference specific vulnerable code locations in the plugin's Trac repository, including lines 1042, 1141, and 851 in admin/class-metasync-admin.php for version 2.5.12, along with a Wordfence threat intelligence report detailing the issue (ID: 6f63d2c4-cbae-4177-8494-daca96449ecc).
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai