CVE-2025-12165
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huyme | webcake | 1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Webcake β Landing Page Builder plugin for WordPress, where a missing capability check on the 'webcake_save_config' AJAX endpoint allows authenticated users with Subscriber-level access or higher to modify the plugin's settings without proper authorization.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can modify the plugin's settings, potentially leading to unauthorized changes in the website's landing page configurations, which could affect site behavior or security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Webcake β Landing Page Builder plugin to version 1.2 or later, as the vulnerability affects all versions up to and including 1.1. Additionally, restrict Subscriber-level access if possible and monitor plugin settings for unauthorized changes. [2]