CVE-2025-12639
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wmodes_catalog_mode_product_pricing_enquiry_forms_&_promotions | 1.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the wModes β Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress (up to version 1.2.2). It is an authorization bypass issue where the plugin fails to properly verify if a user is authorized to access sensitive information through an AJAX endpoint. As a result, authenticated users with subscriber-level access or higher can extract sensitive data such as user emails, usernames, roles, capabilities, and WooCommerce-related information including products and payment methods.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level authenticated access to retrieve sensitive information that they should not have access to. This includes personal user data (emails, usernames, roles) and e-commerce data (products and payment methods). Such unauthorized data exposure can lead to privacy breaches, potential misuse of user information, and compromise of business data integrity.