{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12165", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-24T14:16:57.300Z", "datePublished": "2025-12-05T05:31:22.211Z", "dateUpdated": "2026-04-08T16:47:19.133Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:19.133Z"}, "affected": [{"vendor": "huyme", "product": "Webcake \u2013 Landing Page Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Webcake \u2013 Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings."}], "title": "Webcake \u2013 Landing Page Builder <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bdeb2a1-ab97-45ff-808e-37e631d5e9cf?source=cve"}, {"url": "https://wordpress.org/plugins/webcake/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3410508%40webcake&new=3410508%40webcake"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-12-04T16:38:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-05T15:17:32.027725Z", "id": "CVE-2025-12165", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T15:18:27.840Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12165", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-05T15:17:32.027725Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-05T15:18:13.748Z"}}], "cna": {"title": "Webcake \u2013 Landing Page Builder <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "huyme", "product": "Webcake \u2013 Landing Page Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-04T16:38:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bdeb2a1-ab97-45ff-808e-37e631d5e9cf?source=cve"}, {"url": "https://wordpress.org/plugins/webcake/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3410508%40webcake&new=3410508%40webcake"}], "descriptions": [{"lang": "en", "value": "The Webcake \u2013 Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:47:19.133Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12165", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:47:19.133Z", "dateReserved": "2025-10-24T14:16:57.300Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-05T05:31:22.211Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Webcake \u2013 Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings."}], "id": "CVE-2025-12165", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-05T06:16:06.237", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3410508%40webcake&new=3410508%40webcake"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/webcake/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3bdeb2a1-ab97-45ff-808e-37e631d5e9cf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:40:44.891470+00:00", "value": {"mitigation_remediation": ["Upgrade the Webcake \u2013 Landing Page Builder plugin to version 1.2 or later, which includes the capability check for the webcake_save_config endpoint.", "Limit the Subscriber role (or any role that can authenticate) from accessing the site's core administration or AJAX endpoints by adjusting WordPress capability settings or using a security plugin to restrict role permissions.", "Remove or disable any unused or test subscriber accounts that could be used by attackers to exploit the missing authorization check."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Configuration Modification"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Webcake \u2013 Landing Page Builder plugin, versions up to and including 1.1. Any authenticated user who holds the Subscriber role or any higher role can exploit this flaw.", "description_and_impact": "The vulnerability in the Webcake \u2013 Landing Page Builder plugin arises from a missing capability check on the webcake_save_config AJAX endpoint. This flaw allows authenticated users with Subscriber-level access or higher to modify the plugin\u2019s settings, enabling them to alter the look, structure, or behavior of the landing pages on the affected WordPress site. Because the plugin controls key visual elements and potentially redirection logic, an attacker could inject malicious content, change URLs, or deface the site. The weakness is identified as CWE-862 \u2013 missing authorization, which means the integrity of configuration data is compromised without consideration of the user\u2019s role.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, but the EPSS score of less than 1% suggests a low probability of exploitation under current threat landscape. The flaw is not listed in CISA\u2019s KEV catalog, so there is no known large-scale active exploitation. The attack requires the attacker to be authenticated to the WordPress installation, typically by credential compromise or social engineering. Once authenticated, the attacker can invoke the vulnerable AJAX endpoint to change plugin settings, which may have widespread impact on the site\u2019s storefront or landing pages. Therefore, the risk is significant for organizations with less stringent role management but the likelihood of immediate exploitation is low."}}}}, "created": "2025-12-05T10:52:00.180943+00:00", "updated": "2026-04-22T12:00:05.910049+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}