Description
The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized administrative actions such as enabling or disabling automatic pinging settings and modifying page exclusion settings.
Published: 2025-11-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Settings Modification
Action: Patch Upgrade
AI Analysis

Impact

The Permalinks Cascade WordPress plugin suffers from a missing authorization flaw in its admin AJAX handler, enabling any authenticated user with subscriber-level permissions or higher to alter essential plugin configuration. The flaw allows changing automatic pinging controls and page exclusion lists, potentially disrupting site telemetry, search engine indexing, or exposing sensitive URLs. While it does not grant code execution or direct data exfiltration, the integrity of the site’s operational settings is compromised, which can affect user experience and SEO performance.

Affected Systems

The vulnerability exists in all releases of the Permalinks Cascade plugin up to and including version 2.2. Users who have installed this plugin on any WordPress installation are affected; no specific host or server details are required beyond the presence of the plugin.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% reflects a very low probability of exploitation in the wild. The flaw is not catalogued in CISA KEV. The attack path requires an attacker to be authenticated to the WordPress site with a role of Subscriber or higher, after which the attacker can trigger the vulnerable admin endpoint to change plugin settings. No external trigger or additional vulnerability is necessary.

Generated by OpenCVE AI on April 21, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Permalinks Cascade plugin to the latest available version to receive the missing authorization fix.
  • If an upgrade is not yet possible, remove the plugin entirely or restrict WordPress access to this plugin’s admin area so that only administrators can view its settings.
  • Elevate the site’s user management to limit all non-administrator accounts to the Subscriber role and consider disabling the Subscriber role if not required for normal content creation.

Generated by OpenCVE AI on April 21, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 18 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized administrative actions such as enabling or disabling automatic pinging settings and modifying page exclusion settings.
Title The Permalinks Cascade <= 2.2 - Missing Authorization To Authenticated (Subscriber+) Plugin Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:39.070Z

Reserved: 2025-10-27T20:36:17.844Z

Link: CVE-2025-12372

cve-icon Vulnrichment

Updated: 2025-11-18T21:42:48.447Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T09:15:47.920

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses