CVE-2025-12641
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-16

Last updated on: 2026-01-16

Assigner: Wordfence

Description
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-16
Last Modified
2026-01-16
Generated
2026-06-16
AI Q&A
2026-01-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12641
EUVD
EUVD-2026-2970
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
awesome_support awesome_support 6.3.6
awesome_support awesome_support 6.3.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized demotion of administrators to low-privilege roles due to missing capability checks and nonce reuse. This unauthorized privilege modification could lead to improper access control and potential exposure or alteration of sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate strict access controls and protection of personal data. However, the plugin's user registration process enforces acceptance of terms and multiple GDPR consent notices, recording user consent with timestamps, indicating some compliance measures are in place. The vulnerability undermines these controls by enabling attackers to bypass authorization, potentially impacting compliance with data protection regulations. [1, 2]

Executive Summary

The vulnerability in the Awesome Support WordPress plugin (up to version 6.3.6) is an authorization bypass caused by missing capability checks in the function 'wpas_do_mr_activate_user'. This function does not verify if a user has permission to modify other users' roles. Additionally, there is a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This combination allows unauthenticated attackers who can access the public registration or submit ticket page to extract a valid nonce and use the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter to demote administrators to low-privilege roles.

Impact Analysis

This vulnerability can allow unauthenticated attackers to demote administrator users to low-privilege roles without authorization. This means attackers can reduce the privileges of administrators, potentially disrupting site management, weakening security controls, and enabling further attacks or unauthorized actions by limiting administrative capabilities.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the publicly accessible registration or submit ticket page for the presence of the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter. Since the exploit involves unauthorized requests using a reused nonce, you can look for suspicious POST or GET requests containing 'wpas-do=mr_activate_user' and check if these requests are demoting administrator roles. Commands to detect such activity could include using web server access logs or network monitoring tools to filter requests, for example: 1. Using grep on web server logs: grep 'wpas-do=mr_activate_user' /var/log/apache2/access.log 2. Using curl or wget to test if the action is accessible without proper authorization (for testing only in a controlled environment): curl -G 'https://yourdomain.com/path-to-registration-page' --data-urlencode 'wpas-do=mr_activate_user' --data-urlencode 'user_id=some_user_id' 3. Using intrusion detection systems or web application firewalls to alert on requests with this parameter. Note that the vulnerability involves nonce reuse and missing capability checks, so detection focuses on unauthorized requests attempting to change user roles via this action. [3]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the Awesome Support plugin to a version later than 6.3.6 where the vulnerability is fixed. 2. If updating is not immediately possible, restrict access to the registration and submit ticket pages to trusted users or disable public registrations temporarily. 3. Implement additional access controls or web application firewall rules to block requests containing 'wpas-do=mr_activate_user' or suspicious nonce reuse patterns. 4. Monitor user role changes closely to detect unauthorized demotions of administrator accounts. 5. Review and harden nonce usage and capability checks in the plugin's code if you have development resources, ensuring that actions modifying user roles verify user permissions properly and use unique nonce namespaces per action. These steps help prevent unauthorized attackers from exploiting the missing capability checks and nonce reuse vulnerability to demote administrators. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart