CVE-2025-14718
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| publishpress | future | to 4.9.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Schedule Post Changes With PublishPress Future WordPress plugin (up to version 4.9.3) is an authorization bypass issue. It occurs because the plugin does not properly verify if a user is authorized to perform certain actions. As a result, authenticated users with Contributor-level access or higher can create, update, delete, and publish malicious workflows. These workflows can automatically delete any post upon publication or update, including posts created by administrators. The vulnerability is related to insufficient permission checks and lack of nonce validation in the plugin's REST API, which was later fixed by introducing stricter permission constants, nonce validation, and enhanced sanitization of workflow data. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor-level access or above to manipulate workflows maliciously. They can create, update, delete, or publish workflows that automatically delete posts upon publication or update. This means important content, including administrator-created posts, can be deleted without proper authorization, potentially leading to data loss, disruption of website content, and unauthorized content manipulation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on monitoring REST API calls to the PublishPress Future plugin's Workflows endpoints for unauthorized or suspicious activity. Specifically, look for API requests lacking valid nonces ('X-WP-Nonce' and 'X-PP-Workflow-Nonce') or made by users with Contributor-level access performing create, update, delete, or publish actions on workflows. Commands to detect such activity could include using web server logs or tools like curl to test API endpoints with and without proper nonces. For example, using curl to attempt REST API calls without the required nonces and observing if the request is accepted can help detect vulnerable versions. Additionally, scanning for plugin versions <= 4.9.3 can be done via WordPress plugin management commands or by checking the plugin version files. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the PublishPress Future plugin to version 4.9.4 or later, which includes fixes for this vulnerability by enforcing stricter permission checks, nonce validation, and improved sanitization. Until the update is applied, restrict Contributor-level users from accessing or modifying workflows, and monitor REST API usage for suspicious activity. Applying proper access controls and ensuring that REST API requests include valid nonces can help reduce risk. [1]