CVE-2025-12157 - Vulnerability Details

- Simple User Capabilities <= 1.0 - Missing Authorization to Unauthenticated Capability Reset

Description

The Simple User Capabilities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to reset any user's capabilities.

Published: 2025-11-04

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Simple User Capabilities plugin for WordPress fails to perform a capability check on its 'wp_ajax_nopriv_reset_capability' AJAX endpoint. As a result, anyone who can reach the endpoint—even without logging in—can trigger a reset of another user’s capabilities. This represents an authorization bypass (CWE-862) that could allow an attacker to grant themselves admin-level access, remove privileges from administrators, or otherwise manipulate role configurations. The direct consequence is the loss of integrity over user roles and the potential for elevated privilege actions across the site.

Affected Systems

The vulnerability affects all versions of the Simple User Capabilities plugin up to and including 1.0, as distributed by tanvirahmed1984 on the WordPress plugin repository. Any WordPress installation that has this plugin installed at a version 1.0 or earlier is susceptible. No specific sub-version information is provided, so the entire version range is considered at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate security risk, while the EPSS score of less than 1% suggests that the likelihood of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated HTTP request to the Ajax endpoint, meaning any unauthenticated user who can send a crafted request to the site’s AJAX handler can reset capabilities. No special privileges or credentials are required, making the attack vector broad for exposed WordPress sites that use this plugin.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

tanvirahmed1984

Simple User Capabilities

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.0

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Simple User Capabilities to a version newer than 1.0 if available, or remove the plugin entirely if an update is not possible.
If immediate removal is not feasible, block or filter requests to the wp_ajax_nopriv_reset_capability endpoint using web‑application firewall rules or .htaccess rewrites to enforce authentication checks.
As a temporary workaround, consider adding a custom role or capability check on the endpoint by modifying the plugin’s code or applying a patch that enforces an authorization check before processing the reset request.

Generated by OpenCVE AI on April 22, 2026 at 12:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00114.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.svn.wordpress.org/simple-user-capabilities/tags/1.0/user_access.php
https://wordpress.org/plugins/simple-user-capabilities/
https://www.wordfence.com/threat-intel/vulnerabilities/id/3a1d0432-aff0-477e-aa6e-4de3e4d789cb?source=cve

History

Tue, 04 Nov 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 04 Nov 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Tue, 04 Nov 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		The Simple User Capabilities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to reset any user's capabilities.
Title		Simple User Capabilities <= 1.0 - Missing Authorization to Unauthenticated Capability Reset
Weaknesses		CWE-862
References		https://plugins.svn.wordpress.org/simple-user-capabilities/tags/1.0/user_access.php https://wordpress.org/plugins/simple-user-capabilities/ https://www.wordfence.com/threat-intel/vulnerabilities/id/3a1d0432-aff0-477e-aa6e-4de3e4d789cb?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-04T04:27:16.185Z

Updated: 2026-04-08T16:46:57.760Z

Reserved: 2025-10-24T13:18:32.870Z

Link: CVE-2025-12157

Vulnrichment

Updated: 2025-11-04T17:15:56.227Z

NVD

Status : Deferred

Published: 2025-11-04T05:16:09.357

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12157

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object