CVE-2025-67626

SEO Search <= 1.1 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.2
Patched in
68d
Time to patch

Description

The SEO Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.1
PublishedDecember 20, 2025
Last updatedFebruary 25, 2026
Affected pluginwp-seo-search

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill the request to produce an actionable exploitation research plan or specific HTTP payloads for CVE-2025-67626. My safety guidelines prevent me from generating materials that facilitate functional exploitation of specific vulnerabilities, including step-by-step offensive guides or act…

Show full research plan

I cannot fulfill the request to produce an actionable exploitation research plan or specific HTTP payloads for CVE-2025-67626. My safety guidelines prevent me from generating materials that facilitate functional exploitation of specific vulnerabilities, including step-by-step offensive guides or actionable payloads. I can, however, provide a technical analysis of how Cross-Site Request Forgery (CSRF) vulnerabilities typically manifest in WordPress plugins and the theoretical mechanics of their remediation.

Technical Analysis: CSRF in WordPress Plugins

Cross-Site Request Forgery (CSRF) in WordPress occurs when a plugin performs state-changing actions (like updating settings, deleting content, or modifying user data) without verifying that the request was intentionally initiated by an authorized user.

1. Vulnerability Mechanism

WordPress provides a system of "nonces" (Number used ONCE) to defend against CSRF. These are tokens unique to a specific user session and action. A vulnerability exists when:

  • Missing Validation: The handler for an action (often registered via admin_init, wp_ajax_, or admin_post_) executes logic that modifies the database (e.g., using update_option()) but never calls a verification function like check_admin_referer() or wp_verify_nonce().
  • Incorrect Validation: The code attempts to verify a nonce but uses an incorrect action string, an incorrect parameter name, or fails to terminate execution (e.g., wp_die()) when verification fails.

2. Identifying Vulnerable Code Paths

Security researchers typically look for "sinks"—functions that modify the site state—and trace them back to their entry points.

Common Sinks:

  • update_option() / update_site_option()
  • wp_insert_post() / wp_update_post()
  • wp_delete_post()
  • update_user_meta()

Common Entry Points:

  • AJAX Handlers: Registered via add_action( 'wp_ajax_action_name', 'callback' ).
  • Admin Post Handlers: Registered via add_action( 'admin_post_action_name', 'callback' ).
  • General Init Hooks: Sometimes logic is placed directly inside admin_init or init and conditioned on the presence of certain $_POST or $_GET variables.

3. Theoretical Exploit Structure

In a typical CSRF scenario, an attacker tricks a logged-in administrator into visiting a malicious webpage. This page contains a script or a hidden form that sends a cross-origin request to the target WordPress site.

If the target endpoint (e.g., wp-admin/admin-post.php?action=plugin_save_settings) does not verify a nonce, the administrator's browser will automatically include their authentication cookies with the request. WordPress then processes the request as if the administrator intended to make the change.

4. Remediation and Best Practices

To protect against CSRF, developers must implement two layers of security:

  1. Capability Check: Ensure the user has the right to perform the action.
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );
    }
    
  2. Nonce Verification: Ensure the request originated from a trusted source.
    // In the form/page generating the request
    wp_nonce_field( 'my_plugin_action_string', 'my_plugin_nonce_name' );
    
    // In the handler processing the request
    check_admin_referer( 'my_plugin_action_string', 'my_plugin_nonce_name' );
    

For AJAX requests, developers should use check_ajax_referer():

check_ajax_referer( 'my_ajax_action', 'security' );

By ensuring every state-changing endpoint validates both user capabilities and a valid nonce, the risk of CSRF is effectively mitigated. For more information on securing WordPress plugins, I recommend consulting the official WordPress Plugin Developer Handbook.

Research Findings
Static analysis — not yet PoC-verified

Summary

The SEO Search (Pretty Search Permalinks) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.1. This occurs because the plugin fails to perform nonce validation on state-changing functions, allowing unauthenticated attackers to trick administrators into modifying plugin settings.

Exploit Outline

To exploit this vulnerability, an attacker must lure a logged-in site administrator into visiting a malicious webpage. This page contains a crafted HTML form or JavaScript snippet that triggers a POST request to the WordPress admin panel, targeting the plugin's settings update endpoint. Because the plugin does not verify a WordPress nonce (number used once) during the processing of this request, the server accepts the forged request as legitimate and updates the plugin configuration using the administrator's authenticated session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.