SEO Metrics WordPress Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the SEO Metrics plugin for WordPress, affecting versions 1.0.5 through 1.0.15. The issue arises from inadequate authorization checks in the 'seo_metrics_handle_connect_button_click()' AJAX handler and the 'seo_metrics_handle_custom_endpoint()' function. The AJAX action only validates a nonce without assessing the caller's capabilities, allowing a subscriber-level user to obtain a token and access the custom endpoint, thereby acquiring full administrator cookies.

Impact

Exploitation of this vulnerability allows authenticated users with subscriber-level privileges to escalate their privileges to that of an administrator, gaining access to administrator-level cookies and potentially compromising the site further.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber privileges can send a request to the 'seo_metrics_handle_connect_button_click()' AJAX handler. This request must include a valid nonce. Once the request is processed, the user will receive an authorization token. This token can then be used to access the 'seo_metrics_handle_custom_endpoint()' function, which will return the administrator cookies for the user, effectively escalating their privileges to that of an administrator.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details thoroughly and consider uninstalling the affected plugin.