CVE-2025-12370
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | monetize-link | 1.0.13 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Takeads plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 1.0.13. This means the plugin does not properly check if a user is allowed to perform certain actions. As a result, authenticated users with subscriber-level access or higher can delete the plugin's configuration options, which they should not normally be able to do.
How can this vulnerability impact me? :
This vulnerability allows authenticated users with low-level access (subscriber and above) to delete the plugin's configuration options. This could disrupt the plugin's functionality, potentially causing service interruptions or loss of important settings, which may affect the website's operation or user experience.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring AJAX requests to the vulnerable action 'wp_ajax_' concatenated with the plugin's AJAX_ACTION constant. Specifically, look for POST requests to admin-ajax.php with the action parameter matching the plugin's delete operation. Since the vulnerability involves unauthorized deletion of plugin options via this AJAX call, you can detect exploitation attempts by logging or capturing such requests. Commands to detect such activity might include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to admin-ajax.php with the relevant action parameter. For example, using tcpdump: tcpdump -i any -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and then filtering for 'action=mlp_delete' or the actual AJAX_ACTION value if known. Additionally, WordPress logs or security plugins might be configured to log AJAX actions. However, no specific commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Takeads plugin to a version later than 1.0.13 where the authorization bypass vulnerability is fixed. If an update is not yet available, restrict access to the plugin's AJAX delete action by implementing additional authorization checks or disabling the AJAX delete functionality temporarily. Also, monitor and audit user roles to ensure that only trusted users have subscriber-level or higher access, as the vulnerability requires at least subscriber-level authentication. Applying web application firewall (WAF) rules to block suspicious AJAX requests targeting the vulnerable action can also help mitigate exploitation. [2]