CVE-2025-12524

low-risk
Published 2025-11-18

The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact.

Do I need to act?

-
0.05% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

References (6)

https://cwe.mitre.org/data/definitions/639.html
https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authori...
https://plugins.trac.wordpress.org/browser/post-type-switcher/tags/4.0.0/post-ty...
https://plugins.trac.wordpress.org/browser/post-type-switcher/tags/4.0.0/post-ty...
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
https://www.wordfence.com/threat-intel/vulnerabilities/id/d875514c-c7d3-4236-842...
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal