Overview
CVE-2025-12639 identifies an authorization bypass vulnerability affecting the wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress. This flaw allows authenticated attackers with subscriber-level access or higher to access sensitive information that they should not have access to. This includes user emails, usernames, roles, capabilities, and WooCommerce data like products and payment methods. This vulnerability exists in versions up to and including 1.2.2 of the plugin.
Technical Details
The vulnerability stems from the plugin’s improper verification of user authorization when handling AJAX requests. Specifically, the AJAX endpoint does not adequately check if the requesting user has the necessary permissions to access the requested data. This allows an attacker with minimal privileges (e.g., a subscriber) to craft malicious AJAX requests to retrieve sensitive data. The vulnerable code can be traced back to the `class.reon.core.ajax.php` file within the plugin’s framework.
Key locations within the code demonstrating the vulnerability include:
CVSS Analysis
- Severity: MEDIUM
- CVSS Score: 4.3
A CVSS score of 4.3 indicates a medium severity vulnerability. While exploitation requires authentication, the low privileges required for exploitation (subscriber-level access) and the potential for significant data leakage contribute to the overall risk. The vector is network-based (AV:N), requires user interaction (AU:S), has a low impact on confidentiality (C:L) and integrity (I:N), and no impact on availability (A:N).
Possible Impact
Successful exploitation of this vulnerability can have serious consequences:
- Data Breach: Exposure of sensitive user data, including email addresses, usernames, roles, and capabilities.
- WooCommerce Data Leakage: Compromise of product information and potentially payment method details, depending on the specific WooCommerce configuration.
- Privilege Escalation: Attackers could potentially leverage the compromised data to further escalate their privileges within the WordPress site.
- Reputation Damage: Data breaches can severely damage a website’s reputation and erode user trust.
Mitigation and Patch Steps
The primary mitigation step is to update the wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin to the latest available version. Check the WordPress plugin repository or the plugin developer’s website for updates. The fix for this vulnerability was implemented in a subsequent release.
You can check the code changes that addressed the issue here: Plugin Changeset
If an update is not immediately available, consider temporarily disabling the plugin until a patched version is released.
