CVE-2025-12354
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dojo_digital | live_css_preview | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Live CSS Preview plugin for WordPress allows authenticated users with Subscriber-level access or higher to modify the plugin's CSS settings without proper authorization. This happens because the plugin's 'wp_ajax_frontend_save' AJAX endpoint lacks a capability check, enabling unauthorized data modification.
How can this vulnerability impact me? :
This vulnerability can allow attackers with low-level access (Subscriber or above) to change the CSS settings of the plugin, potentially altering the appearance or behavior of the website. While it does not impact confidentiality or availability, it can lead to unauthorized changes that may affect the integrity of the website's presentation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the Live CSS Preview plugin, as it has been temporarily closed and is no longer available for download pending a full security review. Additionally, restrict Subscriber-level and above users from accessing or modifying plugin settings until a patched version is released. [2]