Description
The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact.
Published: 2025-11-18
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Change of Post Types
Action: Patch
AI Analysis

Impact

The Post Type Switcher plugin for WordPress contains an insecure direct object reference that lets authenticated users with Author role or higher alter the post type of any post or page they don’t own. The flaw permits the attacker to reclassify arbitrary content, which can break navigation, cause site disruption, and harm SEO. This weakness aligns with CWE‑639, a lack of fine‑grained authorization.

Affected Systems

WordPress installations running the Post Type Switcher plugin version 4.0.0 or earlier are affected. Administrators who have deployed these versions should review the plugin’s version and consider updating or disabling it.

Risk and Exploitability

With a CVSS score of 5.4 the vulnerability is moderately severe. The EPSS score of less than 1% indicates a very low probability that attackers are already exploiting it, and it is not listed in CISA’s KEV catalog. Likely exploitation requires the attacker to be a logged‑in user with Author or higher privileges and to know the identifier of the target post or page. Because no remote code execution or privilege escalation is involved, the impact is limited to content modification and associated site disruption.

Generated by OpenCVE AI on April 21, 2026 at 18:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Post Type Switcher plugin to the latest available version that addresses the insecure direct object reference.
  • If an updated version is not available, consider disabling or uninstalling the plugin.
  • Apply the principle of least privilege by restricting Author‑level users from accessing post‑type‑change functionality, or re‑implement the authorization check in the plugin code.
  • Monitor site logs for unexpected post‑type changes to detect and respond to any unauthorized activity.

Generated by OpenCVE AI on April 21, 2026 at 18:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 18 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact.
Title Post Type Switcher <= 4.0.0 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:52.747Z

Reserved: 2025-10-30T16:41:14.529Z

Link: CVE-2025-12524

cve-icon Vulnrichment

Updated: 2025-11-18T16:34:59.108Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T07:15:44.237

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses