Cyber Resilience

CVE-2025-24654

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0019 40.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24654 is a high-severity Missing Authorization (CWE-862) vulnerability in Squirrly Seo Plugin By Squirrly Seo. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24654 is a Missing Authorization vulnerability (CWE-862) in the Squirrly SEO WordPress plugin by Squirrly SEO. The issue affects all versions of the plugin from n/a through 12.4.07, allowing unauthorized access to certain functionalities due to insufficient permission checks.

With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), the vulnerability can be exploited by low-privileged users, such as contributors or authors on a WordPress site. Attackers can remotely trigger the issue with low complexity and no user interaction required, potentially leading to limited disclosure of sensitive information alongside high-impact modifications to site data or configurations.

Patchstack advisories detail the vulnerability and recommend updating to a patched version of the Squirrly SEO plugin beyond 12.4.07. Further mitigation guidance is available at https://patchstack.com/database/Wordpress/Plugin/squirrly-seo/vulnerability/wordpress-squirrly-seo-plugin-12-4-05-broken-access-control-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in SEO Squirrly SEO Plugin by Squirrly SEO squirrly-seo.This issue affects SEO Plugin by Squirrly SEO: from n/a through <= 12.4.07.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization (CWE-862) in public-facing WordPress plugin allows low-privileged authenticated users to access functionalities and perform high-impact modifications, directly enabling exploitation of the public-facing application (T1190) and privilege escalation via software vulnerability (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22783Same product: Squirrly Seo Plugin By Squirrly Seo
CVE-2026-4100Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862
CVE-2025-2110Shared CWE-862
CVE-2025-27270Shared CWE-862

Affected Assets

squirrly
seo plugin by squirrly seo
≤ 12.4.08

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires enforcement of approved authorizations for access to system resources, countering the plugin's missing permission checks that allow low-privileged users unauthorized functionality.

prevent

Implements least privilege to restrict low-privileged users like contributors or authors from performing high-impact modifications even if authorization is bypassed.

prevent

Mandates timely identification, reporting, and correction of the specific flaw in Squirrly SEO plugin versions <=12.4.07, enabling patching to eliminate the vulnerability.

References