CVE-2025-12641
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-01-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| awesome_support | awesome_support | 6.3.6 |
| awesome_support | awesome_support | 6.3.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Awesome Support WordPress plugin (up to version 6.3.6) is an authorization bypass caused by missing capability checks in the function 'wpas_do_mr_activate_user'. This function does not verify if a user has permission to modify other users' roles. Additionally, there is a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This combination allows unauthenticated attackers who can access the public registration or submit ticket page to extract a valid nonce and use the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter to demote administrators to low-privilege roles.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to demote administrator users to low-privilege roles without authorization. This means attackers can reduce the privileges of administrators, potentially disrupting site management, weakening security controls, and enabling further attacks or unauthorized actions by limiting administrative capabilities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the publicly accessible registration or submit ticket page for the presence of the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter. Since the exploit involves unauthorized requests using a reused nonce, you can look for suspicious POST or GET requests containing 'wpas-do=mr_activate_user' and check if these requests are demoting administrator roles. Commands to detect such activity could include using web server access logs or network monitoring tools to filter requests, for example: 1. Using grep on web server logs: grep 'wpas-do=mr_activate_user' /var/log/apache2/access.log 2. Using curl or wget to test if the action is accessible without proper authorization (for testing only in a controlled environment): curl -G 'https://yourdomain.com/path-to-registration-page' --data-urlencode 'wpas-do=mr_activate_user' --data-urlencode 'user_id=some_user_id' 3. Using intrusion detection systems or web application firewalls to alert on requests with this parameter. Note that the vulnerability involves nonce reuse and missing capability checks, so detection focuses on unauthorized requests attempting to change user roles via this action. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Awesome Support plugin to a version later than 6.3.6 where the vulnerability is fixed. 2. If updating is not immediately possible, restrict access to the registration and submit ticket pages to trusted users or disable public registrations temporarily. 3. Implement additional access controls or web application firewall rules to block requests containing 'wpas-do=mr_activate_user' or suspicious nonce reuse patterns. 4. Monitor user role changes closely to detect unauthorized demotions of administrator accounts. 5. Review and harden nonce usage and capability checks in the plugin's code if you have development resources, ensuring that actions modifying user roles verify user permissions properly and use unique nonce namespaces per action. These steps help prevent unauthorized attackers from exploiting the missing capability checks and nonce reuse vulnerability to demote administrators. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized demotion of administrators to low-privilege roles due to missing capability checks and nonce reuse. This unauthorized privilege modification could lead to improper access control and potential exposure or alteration of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict access controls and protection of personal data. However, the plugin's user registration process enforces acceptance of terms and multiple GDPR consent notices, recording user consent with timestamps, indicating some compliance measures are in place. The vulnerability undermines these controls by enabling attackers to bypass authorization, potentially impacting compliance with data protection regulations. [1, 2]