CVE-2025-12372
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | the_permalinks_cascade | 2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Permalinks Cascade plugin for WordPress is a Missing Authorization issue. It occurs because the plugin does not properly verify if a user is authorized to perform certain actions in the handleTPCAdminAjaxRequest function. This allows authenticated users with subscriber-level access or higher to perform administrative actions they should not be able to, such as enabling or disabling automatic pinging settings and modifying page exclusion settings.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with subscriber-level access or above to perform unauthorized administrative actions on the WordPress site. This could lead to changes in site behavior, such as altering automatic pinging settings or modifying which pages are excluded, potentially disrupting site functionality or affecting site operations without proper authorization.