Description
The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting.
Published: 2025-12-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change
Action: Immediate Patch
AI Analysis

Impact

The Live CSS Preview plugin for WordPress contains a missing capability check on its AJAX endpoint 'wp_ajax_frontend_save'. This vulnerability allows an authenticated user with Subscriber-level access or higher to modify the plugin's CSS settings without proper authorization. The flaw results in unauthorized alteration of configuration data, which could be used to affect site appearance or embed malicious code, representing a potential data integrity issue.

Affected Systems

The vulnerability affects the Live CSS Preview plugin by Dojo Digital for WordPress versions up to and including 2.1.4. Any WordPress site running one of these versions is a potential target.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that exploitation is unlikely but still possible, especially to users who can log in as a Subscriber or higher. The flaw is not listed in CISA's KEV catalog, meaning no confirmed exploitation has been reported. The likely attack vector is a web-based authenticated request to the vulnerable AJAX endpoint, where an attacker can change the CSS settings by supplying the required parameters.

Generated by OpenCVE AI on April 22, 2026 at 11:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Live CSS Preview plugin to version 2.1.5 or later, if available.
  • If a newer version is not available, disable the 'wp_ajax_frontend_save' AJAX action through custom code or a plugin that restricts access to that endpoint.
  • Restrict Subscriber-level users from having the capability to edit CSS settings by modifying WordPress role capabilities or using a role‑management plugin.

Generated by OpenCVE AI on April 22, 2026 at 11:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting. The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting.
Title Live CSS Preview <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update Live CSS Preview <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update
References

Fri, 05 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 06:30:00 +0000

Type Values Removed Values Added
Description The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting.
Title Live CSS Preview <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:59.035Z

Reserved: 2025-10-27T15:17:32.188Z

Link: CVE-2025-12354

cve-icon Vulnrichment

Updated: 2025-12-05T13:45:16.497Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T07:16:10.413

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses