Attack Vectors

CVE-2025-67626 is a Medium-severity Cross-Site Request Forgery (CSRF) issue (CVSS 4.3) affecting the Pretty Search Permalinks WordPress plugin (slug: wp-seo-search) in versions SEO Search <= 1.1.

CSRF attacks rely on user interaction. In this case, an attacker does not need to log in, but must trick a site administrator (or another privileged user) into taking an action—such as clicking a crafted link in an email, opening a message in a collaboration tool, or visiting a webpage that silently submits a request in the background.

Because the vulnerability is remotely reachable over the internet (AV:N) and low complexity (AC:L), the main “gate” for exploitation is whether an attacker can successfully lure an admin into interacting with the malicious content (UI:R).

Security Weakness

The root cause is missing or incorrect nonce validation in a plugin function. In WordPress, nonces are a key safeguard designed to ensure that sensitive actions initiated in an admin session were intentionally triggered by the authenticated user.

When nonce validation is missing or implemented incorrectly, a third party can forge requests that appear legitimate to WordPress because they are executed in the context of an already logged-in administrator’s browser session.

Technical or Business Impacts

While the published CVSS vector indicates no direct confidentiality impact (C:N) and a limited integrity impact (I:L), CSRF issues can still create meaningful business risk—especially when they enable unauthorized settings changes or other actions that affect how your site behaves.

Potential business impacts include:

SEO and brand risk: If unauthorized actions alter SEO-related behavior (such as permalink/search configurations), it may lead to undesirable indexing outcomes, degraded search visibility, or confusing customer experiences.

Operational disruption: Even limited unauthorized changes can create time-consuming troubleshooting and rollback work for marketing, web, or IT teams—diverting effort from campaigns and revenue activities.

Governance and compliance concerns: If administrative actions can be triggered without appropriate intent verification, it can weaken change-control expectations and complicate audit narratives around “who approved what change and when.”

Recommended remediation: Update Pretty Search Permalinks to version 1.2 or newer (patched). Track the issue under CVE-2025-67626. Additional vendor/community details are available via Wordfence’s record: Wordfence vulnerability entry.