CVE-2025-14172
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_page_permalink_extension | plugin | to 1.5.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WP Page Permalink Extension plugin for WordPress, where there are missing authorization checks on the function 'cwpp_trigger_flush_rewrite_rules'. This function is hooked to 'wp_ajax_cwpp_trigger_flush_rewrite_rules', allowing authenticated users with Subscriber-level access or higher to flush the site's rewrite rules via the 'action' parameter without proper permission verification.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can flush the site's rewrite rules, which could lead to denial of service or disruption of site functionality by causing unexpected behavior in URL routing. This may affect site availability and integrity.