CVE-2025-12820
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-20

Last updated on: 2025-12-20

Assigner: WPScan

Description
The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-20
Last Modified
2025-12-20
Generated
2026-06-16
AI Q&A
2025-12-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12820
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress pure_wc_variation_swatches 1.1.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Pure WC Variation Swatches WordPress plugin up to version 1.1.7. It occurs because the plugin does not perform proper authorization checks when updating its settings via AJAX requests. As a result, any authenticated user, regardless of their privilege level, can modify the plugin's settings without restriction by sending specially crafted POST requests to the plugin's AJAX endpoint. [1]

Impact Analysis

The vulnerability allows any authenticated user to change the plugin's settings arbitrarily. This could lead to unauthorized configuration changes that may affect the website's behavior, appearance, or security posture. Since even low-privileged users can exploit this flaw, it increases the risk of malicious or accidental misconfiguration, potentially compromising the integrity and reliability of the affected WordPress site. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint /wp-admin/admin-ajax.php with the action parameter tpwvs_update_settings. Specifically, look for POST requests containing payloads such as tpwvs_general, tpwvs_shop, or tpwvs_style with arbitrary JSON data. A sample detection command using curl could be: curl -X POST -d 'action=tpwvs_update_settings&tpwvs_general={"pwned":"By Nxploited"}' https://yourwordpresssite.com/wp-admin/admin-ajax.php. Additionally, network monitoring tools or web application firewalls can be configured to alert on such requests. [1]

Mitigation Strategies

Since no fix is currently available for this vulnerability, immediate mitigation steps include restricting access to the /wp-admin/admin-ajax.php endpoint to trusted users only, implementing additional access controls or firewall rules to block unauthorized POST requests to this endpoint, and monitoring logs for suspicious activity related to the tpwvs_update_settings action. Limiting authenticated user privileges to only those necessary can also reduce risk. [1]

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with standards such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12820. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart