CVE-2025-13149
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the "saveFutureActionData" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| publishpress | Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | 0 <= 4.9.1 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/82ea0ebc-08aa-4ef5-b6b1-c7c13715ef6d?source=cve
- https://github.com/publishpress/publishpress-future/commit/0cbefc1632c6f1fffc5fa0ca85e6b8a641d41c7f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.