CVE-2025-13358
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-13358, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-06

Last updated on: 2026-04-08

Assigner: Wordfence

Description

The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-06
Last Modified
2026-04-08
Generated
2026-07-06
AI Q&A
2025-12-06
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpress codeconfig_accessibility 1.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Accessiy By CodeConfig Accessibility plugin for WordPress has a vulnerability where it does not perform proper authorization checks in the Settings::createPage() function. This allows authenticated users with Subscriber-level access or higher to create arbitrary published pages on the site via the ccpcaCreatePage AJAX action, even though they should not have permission to do so.

Impact Analysis

This vulnerability can allow unauthorized users with low-level access (Subscriber or above) to create published pages on your WordPress site without proper permission. This could lead to content injection, defacement, or the addition of malicious pages that could harm your site's integrity and reputation.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized AJAX requests to the `ccpcaCreatePage` action in the WordPress plugin. Specifically, look for POST requests to `admin-ajax.php` with the parameter `action=ccpcaCreatePage` originating from authenticated users with Subscriber-level access or higher. Commands to detect such activity could include using web server logs or network monitoring tools to filter for these requests. For example, using grep on Apache logs: `grep 'action=ccpcaCreatePage' /var/log/apache2/access.log` or using a network capture tool like tcpdump or Wireshark to filter HTTP POST requests containing `action=ccpcaCreatePage`. Additionally, monitoring WordPress logs or enabling debug logging to capture AJAX actions may help detect exploitation attempts. [2, 3]

Mitigation Strategies

Immediate mitigation steps include updating the Accessiy By CodeConfig Accessibility plugin to a version later than 1.0.0 where the authorization checks in the `Settings::createPage()` function are properly implemented. If an update is not yet available, restrict access to the AJAX action `ccpcaCreatePage` by limiting permissions so that only trusted users can invoke it, or disable the plugin temporarily. Additionally, monitor and audit user roles to ensure that Subscriber-level users do not have unnecessary permissions, and consider implementing additional security measures such as Web Application Firewalls (WAF) to block unauthorized AJAX requests targeting this action. [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13358. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart