Overview
CVE-2025-13085 is a medium-severity vulnerability affecting the SiteSEO – SEO Simplified plugin for WordPress, versions up to and including 1.3.2. This vulnerability allows authenticated attackers with the siteseo_manage capability (typically Author-level users granted SiteSEO access by an administrator) to read arbitrary post metadata from any post, page, attachment, or WooCommerce order, even if they lack editing permissions. This is due to a lack of object-level authorization in the resolve_variables() AJAX handler.
In WooCommerce installations, this can lead to the exposure of highly sensitive customer billing information, including names, email addresses, phone numbers, physical addresses, and payment methods.
Technical Details
The vulnerability stems from missing authorization checks within the resolve_variables() AJAX handler. The plugin’s custom field variable resolution feature, intended for SEO optimization, can be abused to extract post metadata. Specifically:
- The
resolve_variables()function (see ajax.php#L542) lacks sufficient checks to ensure the requesting user has permission to access the metadata of the target post. - Users with the
siteseo_managecapability, granted by an administrator via admin.php#L106 and titlesmetas.php#L494, can exploit this. - The vulnerability is only exploitable if “legacy storage” is enabled in the plugin’s settings.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13085 is 4.3 (Medium).
This score reflects the following characteristics:
- Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely.
- Attack Complexity (AC): Low (L) – Exploitation requires little specialized knowledge or access.
- Privileges Required (PR): Low (L) – An authenticated user with limited privileges (siteseo_manage) can exploit the vulnerability.
- User Interaction (UI): None (N) – No user interaction is required to trigger the vulnerability.
- Scope (S): Unchanged (U) – The vulnerability only affects the SiteSEO plugin.
- Confidentiality Impact (C): Low (L) – Limited sensitive information disclosure. However, in the context of WooCommerce billing data, this “limited” information can be quite damaging.
- Integrity Impact (I): None (N) – The vulnerability does not allow modification of data.
- Availability Impact (A): None (N) – The vulnerability does not affect system availability.
Possible Impact
Successful exploitation of CVE-2025-13085 can have the following consequences:
- Data Breach: Exposure of sensitive post metadata, including custom fields.
- WooCommerce Customer Data Exposure: In WooCommerce installations, attackers can access customer names, email addresses, phone numbers, physical addresses, and potentially payment method details. This poses a significant risk of identity theft and financial fraud.
- Reputation Damage: A data breach can severely damage a website’s reputation and customer trust.
Mitigation or Patch Steps
The vulnerability has been patched in a later version of the SiteSEO plugin. The recommended course of action is to:
- Update the SiteSEO plugin: Immediately update the SiteSEO – SEO Simplified plugin to the latest available version. This version includes the necessary security fixes.
- Review User Permissions: Audit user roles and permissions within WordPress, especially those with the
siteseo_managecapability. Ensure that only trusted users have access to SiteSEO management features. - Disable Legacy Storage (If possible): While not a complete fix, disabling legacy storage within the plugin settings may mitigate the risk if immediate updating is not possible. (This depends on plugin version and functionality needs).
References
Wordfence Threat Intelligence: CVE-2025-13085
SiteSEO admin.php (Trac)
SiteSEO ajax.php (Trac)
SiteSEO titlesmetas.php (Trac)
SiteSEO Changeset (Trac)
