CVE-2025-13149
BaseFortify
Publication date: 2025-11-21
Last updated on: 2025-11-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| publishpress | future | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Schedule Post Changes With PublishPress Future plugin for WordPress, where a missing authorization check in the "saveFutureActionData" function allows authenticated users with author-level access or higher to modify data they should not be able to. Specifically, they can change the status of arbitrary posts and pages via the REST API endpoint without proper permission checks.
How can this vulnerability impact me? :
An attacker with author-level access or higher could exploit this vulnerability to change the status of posts and pages arbitrarily. This could lead to unauthorized content being published, unpublished, deleted, or otherwise altered, potentially disrupting website content management and integrity.