CVE-2025-12524: Critical Post Type Switcher Vulnerability Exposes WordPress Sites to Content Manipulation

Overview

CVE-2025-12524 is a medium severity vulnerability affecting the Post Type Switcher plugin for WordPress. This vulnerability, an Insecure Direct Object Reference (IDOR), allows authenticated attackers with Author-level access or higher to modify the post type of arbitrary posts and pages, including those created by administrators. This can lead to significant site disruption and SEO impact.

Technical Details

The vulnerability resides in versions up to and including 4.0.0 of the Post Type Switcher plugin. It stems from missing validation on a user-controlled key, specifically the `post_id` parameter used when switching post types. Attackers can exploit this by manipulating the `post_id` to target posts they do not own. Without proper authorization checks, the plugin allows the user to change the post type regardless of ownership or permissions.

The affected code areas are highlighted in the following files (version 4.0.0):

• post-type-switcher.php#L469: Potential point of entry for modifying post type based on `post_id`.
• post-type-switcher.php#L486: Another possible location where post type switching occurs without adequate permission checks.

CVSS Analysis

• Severity: MEDIUM
• CVSS Score: 5.4

This CVSS score reflects the potential for authenticated users with relatively low privileges (Author) to cause significant disruption. The CVSS vector considers the ease of exploitation and the impact on confidentiality, integrity, and availability.

Possible Impact

Successful exploitation of CVE-2025-12524 can lead to several negative consequences:

• Site Disruption: Changing post types can break layouts, functionalities, and user experience.
• Broken Navigation: Incorrect post types can cause posts and pages to disappear from menus and archives.
• SEO Impact: Altering post types can affect permalinks, indexing, and search engine rankings.
• Content Manipulation: Attackers could potentially change crucial site pages into a different post type, rendering them inaccessible or unusable.

Mitigation or Patch Steps

The vulnerability has been patched in later versions of the Post Type Switcher plugin. Users are strongly advised to update to the latest version of the plugin immediately.

Verify that the latest version includes changes addressing the Insecure Direct Object Reference. Look for commits similar to the fix implemented in the plugin’s commit history.

As a temporary workaround, if immediate updating isn’t possible, consider limiting the role permissions to only trusted administrators and thoroughly auditing any user activity related to post type changes.

References

• CWE-639: Authorization Bypass Through User-Controlled Key
• OWASP API Security – Broken Object Level Authorization
• Post Type Switcher v4.0.0 – post-type-switcher.php#L469
• Post Type Switcher v4.0.0 – post-type-switcher.php#L486
• Post Type Switcher Commit History (Fix)
• Wordfence Threat Intelligence – CVE-2025-12524