CVE-2025-12372: Permalinks Cascade Plugin Exposes WordPress to Unauthorized Admin Actions

Overview

CVE-2025-12372 identifies a medium-severity vulnerability within the Permalinks Cascade plugin for WordPress. All versions up to and including version 2.2 are affected. This flaw stems from missing authorization checks, allowing authenticated attackers (subscriber level and above) to perform unauthorized administrative actions. Specifically, they can enable or disable automatic pinging settings and modify page exclusion settings.

Technical Details

The vulnerability lies within the handleTPCAdminAjaxRequest function of the Permalinks Cascade plugin. The plugin fails to properly verify that the user initiating the AJAX request has the necessary permissions to perform the requested action. This allows authenticated users with subscriber-level or higher access to bypass intended access controls. The vulnerable code can be found in the admin-controller.class.php and core.class.php files. Specifically, the lack of sufficient capability checks before executing administrative functions within the AJAX request handler is the core issue.

CVSS Analysis

• CVE ID: CVE-2025-12372
• Severity: MEDIUM
• CVSS Score: 4.3

The CVSS score of 4.3 indicates a medium severity vulnerability. This score reflects the fact that an attacker needs to be authenticated to exploit the vulnerability. The impact is limited to modifying plugin settings, which could lead to SEO manipulation or other unintended consequences for the website’s permalink structure and internal linking.

Possible Impact

Successful exploitation of CVE-2025-12372 could allow a malicious actor to:

• Modify automatic pinging settings: This could be used for SEO spamming or to disrupt website functionality.
• Modify page exclusion settings: This could remove important pages from permalink cascading, leading to broken links or SEO issues.
• Potentially escalate privileges: While not a direct privilege escalation, manipulating settings could pave the way for further exploitation by, for example, creating a backdoor or injecting malicious code.

Mitigation or Patch Steps

The primary mitigation step is to update the Permalinks Cascade plugin to a version higher than 2.2, if a patched version is available. If an update is not yet available, consider the following:

• Disable the plugin: If the plugin’s functionality is not critical, disabling it will eliminate the vulnerability.
• Monitor user activity: Keep a close watch on user activity, especially those with subscriber-level access, for any suspicious behavior.
• Implement a Web Application Firewall (WAF): A WAF may be configured to detect and block malicious requests targeting the vulnerable function. This requires configuring rules to specifically check the handleTPCAdminAjaxRequest.