{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12579", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-31T21:17:26.417Z", "datePublished": "2025-11-27T02:26:13.668Z", "dateUpdated": "2026-04-08T16:49:06.782Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:06.782Z"}, "affected": [{"vendor": "rnags", "product": "Reuters Direct", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings."}], "title": "Reuters Direct <= 3.0.0 - Missing Authorization to Unauthenticated Settings Reset", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4360f293-201c-40c1-9603-931d72cc79bc?source=cve"}, {"url": "https://wordpress.org/plugins/reuters-direct/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2025-11-26T14:20:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-28T14:41:19.960743Z", "id": "CVE-2025-12579", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T19:33:52.555Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12579", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-28T14:41:19.960743Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T14:41:20.727Z"}}], "cna": {"title": "Reuters Direct <= 3.0.0 - Missing Authorization to Unauthenticated Settings Reset", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "rnags", "product": "Reuters Direct", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-26T14:20:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4360f293-201c-40c1-9603-931d72cc79bc?source=cve"}, {"url": "https://wordpress.org/plugins/reuters-direct/"}], "descriptions": [{"lang": "en", "value": "The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:06.782Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12579", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:06.782Z", "dateReserved": "2025-10-31T21:17:26.417Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-27T02:26:13.668Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to reset the plugin's settings."}], "id": "CVE-2025-12579", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-27T03:15:57.360", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/reuters-direct/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4360f293-201c-40c1-9603-931d72cc79bc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:57:02.828057+00:00", "value": {"mitigation_remediation": ["Upgrade the Reuters Direct plugin to the latest available release (above version 3.0.0).", "If an update is not immediately possible, restrict access to the logoff action so that only authenticated users with the appropriate capability can execute it. This can be achieved by disabling the endpoint or modifying the plugin code to enforce a capability check.", "Audit the WordPress installation for other plugins that may lack proper capability validations and apply updates or custom patches as necessary."], "summary": {"action": "Patch", "impact": "Unauthenticated Settings Reset"}, "threat_synthesis": {"affected_systems": "All installations of the Reuters Direct WordPress plugin from its initial release through version 3.0.0 are vulnerable. The affected product is the Reuters Direct plugin distributed by the rnags vendor within the WordPress ecosystem.", "description_and_impact": "The Reuters Direct plugin for WordPress contains a missing capability verification on the logoff action. This flaw allows any unauthenticated user to trigger a reset of the plugin\u2019s configuration. The result is an unauthorized modification of data that can disrupt site operation or serve as a foothold for attackers who may later reconfigure the plugin in a malicious manner. The weakness is an Authorization Control error, classified as CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Attackers would simply need to send a request to the logoff endpoint without authentication; no credentials are required, but the presence of the request must reach the target server. The overall risk is thus moderate but remains non\u2011negligible, especially for high\u2011traffic sites where a settings reset could cause significant disruption."}}}}, "created": "2025-11-27T16:26:00.465217+00:00", "updated": "2026-04-21T18:00:11.742786+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}