CVE-2025-13358: Critical Vulnerability in Accessiy WordPress Plugin Enables Unauthorized Page Creation

Overview

CVE-2025-13358 is a medium-severity security vulnerability affecting the Accessiy By CodeConfig Accessibility plugin for WordPress, versions up to and including 1.0.0. This vulnerability allows authenticated attackers with Subscriber-level access or higher to create arbitrary published pages on the WordPress site without proper authorization. This can lead to defacement, spam injection, or other malicious activities.

Technical Details

The vulnerability stems from a missing authorization check within the Settings::createPage() function of the plugin. Specifically, the plugin fails to verify if the user initiating the page creation request via the ccpcaCreatePage AJAX action possesses the necessary capabilities to perform this action. As a result, any authenticated user, even those with limited privileges like Subscriber-level access, can exploit this flaw.

The vulnerable code resides in the following files:

• includes/Ajax.php
• includes/Ajax/Settings.php

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13358 is 5.3 (Medium). This score reflects the potential impact of the vulnerability and the ease with which it can be exploited.

• CVSS Score: 5.3
• Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

This means that the vulnerability is remotely exploitable, requires low attack complexity, and can be triggered by an authenticated user with low privileges. While the impact is limited to data integrity (modification of the website), it can still have significant consequences for the website owner.

Possible Impact

The successful exploitation of CVE-2025-13358 can have several negative consequences:

• Website Defacement: Attackers can create pages with malicious content, altering the appearance and functionality of the website.
• Spam Injection: Malicious actors can inject spam links and content into the created pages, harming the website’s search engine ranking and reputation.
• Phishing Attacks: Attackers can create fake pages that mimic legitimate login or payment forms to steal user credentials or financial information.
• SEO Poisoning: The creation of numerous low-quality or malicious pages can negatively impact the website’s search engine optimization (SEO).

Mitigation and Patch Steps

To mitigate the risk posed by CVE-2025-13358, it is strongly recommended to take the following steps:

1. Update the Plugin: Upgrade the Accessiy By CodeConfig Accessibility plugin to the latest version as soon as a patched version is released by the plugin developer. This is the most effective way to address the vulnerability.
2. Disable the Plugin: If an update is not immediately available, temporarily disable the Accessiy By CodeConfig Accessibility plugin until a patched version is released. This will prevent potential exploitation of the vulnerability.
3. Monitor User Activity: Closely monitor user activity on your WordPress site for any suspicious page creation attempts.
4. Web Application Firewall (WAF): Consider using a Web Application Firewall (WAF) with rules that can detect and block malicious requests targeting this vulnerability.

References

• CodeConfig Accessibility Plugin – Ajax.php (v1.0.0)
• CodeConfig Accessibility Plugin – Settings.php (v1.0.0)
• CodeConfig Accessibility Plugin – Ajax.php (Trunk)
• CodeConfig Accessibility Plugin – Settings.php (Trunk)
• Wordfence Threat Intelligence – CVE-2025-13358