Description
The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files.
Published: 2026-01-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Log Deletion
Action: Apply Patch
AI Analysis

Impact

The Phrase TMS Integration for WordPress plugin is vulnerable to an unauthorized modification of data due to a missing capability check on the "wp_ajax_delete_log" AJAX endpoint in all versions up to 4.7.5. This flaw allows authenticated attackers with Subscriber-level access or higher to delete log files, resulting in loss of audit data and potentially disrupting compliance or monitoring activities. The weakness is a privilege escalation flaw (CWE‑862).

Affected Systems

All versions of the Phrase TMS Integration for WordPress plugin, developed by memsource, up to and including version 4.7.5 are affected. Users running those versions on any WordPress installation are at risk; newer releases are presumed to have the capability check in place.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate impact. The EPSS score is less than 1%, suggesting a low likelihood of exploitation. The plugin is not listed in CISA's KEV catalog. Exploitation requires the attacker to be authenticated with at least Subscriber privileges; the attack vector is likely via the web interface or via crafted AJAX requests to the vulnerable endpoint. Once authenticated, the user can delete arbitrary log files, immediately impacting availability of logging data.

Generated by OpenCVE AI on April 22, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Phrase TMS Integration for WordPress plugin to the latest available version that includes the capability check for the wp_ajax_delete_log endpoint.
  • If an upgrade is not immediately possible, deny Subscriber and higher roles the ability to call the wp_ajax_delete_log AJAX action by removing the capability or disabling the endpoint, or temporarily remove or downgrade the affected plugin.
  • After applying the fix, monitor the WordPress logs for any unauthorized delete attempts and verify that the action is no longer permitted for Subscriber level users.
  • Review other plugins and custom code that may expose similar AJAX endpoints to ensure proper capability checks.

Generated by OpenCVE AI on April 22, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Memsource
Memsource phrase Tms Integration For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Memsource
Memsource phrase Tms Integration For Wordpress
Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files.
Title Phrase TMS Integration for WordPress <= 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Log Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Memsource Phrase Tms Integration For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:43.703Z

Reserved: 2025-10-24T14:24:58.628Z

Link: CVE-2025-12168

cve-icon Vulnrichment

Updated: 2026-01-20T18:32:32.000Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T05:16:08.763

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12168

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses