CVE-2025-24654
Published: 03 March 2025
Summary
CVE-2025-24654 is a high-severity Missing Authorization (CWE-862) vulnerability in Squirrly Seo Plugin By Squirrly Seo. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-24654 is a Missing Authorization vulnerability (CWE-862) in the Squirrly SEO WordPress plugin by Squirrly SEO. The issue affects all versions of the plugin from n/a through 12.4.07, allowing unauthorized access to certain functionalities due to insufficient permission checks.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), the vulnerability can be exploited by low-privileged users, such as contributors or authors on a WordPress site. Attackers can remotely trigger the issue with low complexity and no user interaction required, potentially leading to limited disclosure of sensitive information alongside high-impact modifications to site data or configurations.
Patchstack advisories detail the vulnerability and recommend updating to a patched version of the Squirrly SEO plugin beyond 12.4.07. Further mitigation guidance is available at https://patchstack.com/database/Wordpress/Plugin/squirrly-seo/vulnerability/wordpress-squirrly-seo-plugin-12-4-05-broken-access-control-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5805
Vulnerability details
Missing Authorization vulnerability in SEO Squirrly SEO Plugin by Squirrly SEO squirrly-seo.This issue affects SEO Plugin by Squirrly SEO: from n/a through <= 12.4.07.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin allows low-privileged authenticated users to access functionalities and perform high-impact modifications, directly enabling exploitation of the public-facing application (T1190) and privilege escalation via software vulnerability (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires enforcement of approved authorizations for access to system resources, countering the plugin's missing permission checks that allow low-privileged users unauthorized functionality.
Implements least privilege to restrict low-privileged users like contributors or authors from performing high-impact modifications even if authorization is bypassed.
Mandates timely identification, reporting, and correction of the specific flaw in Squirrly SEO plugin versions <=12.4.07, enabling patching to eliminate the vulnerability.