CVE-2025-14718
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: Wordfence

Description
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-14718
EUVD
EUVD-2026-1803
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
publishpress future to 4.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Schedule Post Changes With PublishPress Future WordPress plugin (up to version 4.9.3) is an authorization bypass issue. It occurs because the plugin does not properly verify if a user is authorized to perform certain actions. As a result, authenticated users with Contributor-level access or higher can create, update, delete, and publish malicious workflows. These workflows can automatically delete any post upon publication or update, including posts created by administrators. The vulnerability is related to insufficient permission checks and lack of nonce validation in the plugin's REST API, which was later fixed by introducing stricter permission constants, nonce validation, and enhanced sanitization of workflow data. [1]

Impact Analysis

This vulnerability can allow an attacker with Contributor-level access or above to manipulate workflows maliciously. They can create, update, delete, or publish workflows that automatically delete posts upon publication or update. This means important content, including administrator-created posts, can be deleted without proper authorization, potentially leading to data loss, disruption of website content, and unauthorized content manipulation. [1]

Detection Guidance

Detection can focus on monitoring REST API calls to the PublishPress Future plugin's Workflows endpoints for unauthorized or suspicious activity. Specifically, look for API requests lacking valid nonces ('X-WP-Nonce' and 'X-PP-Workflow-Nonce') or made by users with Contributor-level access performing create, update, delete, or publish actions on workflows. Commands to detect such activity could include using web server logs or tools like curl to test API endpoints with and without proper nonces. For example, using curl to attempt REST API calls without the required nonces and observing if the request is accepted can help detect vulnerable versions. Additionally, scanning for plugin versions <= 4.9.3 can be done via WordPress plugin management commands or by checking the plugin version files. [1]

Mitigation Strategies

The immediate mitigation step is to update the PublishPress Future plugin to version 4.9.4 or later, which includes fixes for this vulnerability by enforcing stricter permission checks, nonce validation, and improved sanitization. Until the update is applied, restrict Contributor-level users from accessing or modifying workflows, and monitor REST API usage for suspicious activity. Applying proper access controls and ensuring that REST API requests include valid nonces can help reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14718. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart