CVE-2025-13358
BaseFortify
Publication date: 2025-12-06
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | codeconfig_accessibility | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized AJAX requests to the `ccpcaCreatePage` action in the WordPress plugin. Specifically, look for POST requests to `admin-ajax.php` with the parameter `action=ccpcaCreatePage` originating from authenticated users with Subscriber-level access or higher. Commands to detect such activity could include using web server logs or network monitoring tools to filter for these requests. For example, using grep on Apache logs: `grep 'action=ccpcaCreatePage' /var/log/apache2/access.log` or using a network capture tool like tcpdump or Wireshark to filter HTTP POST requests containing `action=ccpcaCreatePage`. Additionally, monitoring WordPress logs or enabling debug logging to capture AJAX actions may help detect exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Accessiy By CodeConfig Accessibility plugin to a version later than 1.0.0 where the authorization checks in the `Settings::createPage()` function are properly implemented. If an update is not yet available, restrict access to the AJAX action `ccpcaCreatePage` by limiting permissions so that only trusted users can invoke it, or disable the plugin temporarily. Additionally, monitor and audit user roles to ensure that Subscriber-level users do not have unnecessary permissions, and consider implementing additional security measures such as Web Application Firewalls (WAF) to block unauthorized AJAX requests targeting this action. [2]
Can you explain this vulnerability to me?
The Accessiy By CodeConfig Accessibility plugin for WordPress has a vulnerability where it does not perform proper authorization checks in the Settings::createPage() function. This allows authenticated users with Subscriber-level access or higher to create arbitrary published pages on the site via the ccpcaCreatePage AJAX action, even though they should not have permission to do so.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users with low-level access (Subscriber or above) to create published pages on your WordPress site without proper permission. This could lead to content injection, defacement, or the addition of malicious pages that could harm your site's integrity and reputation.