The WP Page Permalink Extension plugin contains a missing authorization check on the cwpp_trigger_flush_rewrite_rules function. This function is exposed through the wp_ajax_cwpp_trigger_flush_rewrite_rules AJAX endpoint. If an authenticated user with a Subscriber role or higher accesses this endpoint and sets the action parameter, the plugin will flush all of the site's rewrite rules. Flushing the rewrite rules can abruptly disrupt site navigation, cause 404 errors, and affect the availability of content. The vulnerability is classified as CWE‑862, a missing authorization defect, and does not provide arbitrary code execution or privilege escalation.

WordPress sites using the infosatech WP Page Permalink Extension plugin, specifically all versions up to and including 1.5.4. No other vendors or products are currently documented as affected by this issue.

The CVSS score for this issue is 6.5, indicating a moderate severity. The EPSS score is less than 1%, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker must first be authenticated and have at least Subscriber access. The attack vector is via the public AJAX endpoint, so it is a network-based attack that leverages the inherent authentication mechanism of WordPress. While exploitation does not grant the attacker higher privileges, the ability to flush rewrite rules can be used to create a denial‑of‑service condition or to set the stage for further attacks that depend on manipulating URL routing.