{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13149", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-13T20:11:15.470Z", "datePublished": "2025-11-21T08:28:13.060Z", "dateUpdated": "2026-04-08T17:04:04.163Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:04.163Z"}, "affected": [{"vendor": "publishpress", "product": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.9.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the \"saveFutureActionData\" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint."}], "title": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82ea0ebc-08aa-4ef5-b6b1-c7c13715ef6d?source=cve"}, {"url": "https://github.com/publishpress/publishpress-future/commit/0cbefc1632c6f1fffc5fa0ca85e6b8a641d41c7f"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-11-05T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-13T20:26:52.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-20T19:53:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T14:47:51.135832Z", "id": "CVE-2025-13149", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:55:48.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13149", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T14:47:51.135832Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:53:40.416Z"}}], "cna": {"title": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "publishpress", "product": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.9.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-05T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-13T20:26:52.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-20T19:53:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82ea0ebc-08aa-4ef5-b6b1-c7c13715ef6d?source=cve"}, {"url": "https://github.com/publishpress/publishpress-future/commit/0cbefc1632c6f1fffc5fa0ca85e6b8a641d41c7f"}], "descriptions": [{"lang": "en", "value": "The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the \"saveFutureActionData\" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:04.163Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13149", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:04.163Z", "dateReserved": "2025-11-13T20:11:15.470Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T08:28:13.060Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the \"saveFutureActionData\" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint."}], "id": "CVE-2025-13149", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T09:15:46.710", "references": [{"source": "security@wordfence.com", "url": "https://github.com/publishpress/publishpress-future/commit/0cbefc1632c6f1fffc5fa0ca85e6b8a641d41c7f"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/82ea0ebc-08aa-4ef5-b6b1-c7c13715ef6d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:04:45.518894+00:00", "value": {"mitigation_remediation": ["Upgrade the PublishPress Future plugin to version 4.9.2 or later, which addresses the authorization check issue.", "Restrict or disable the affected REST API endpoint for users with author-level access, using a security plugin or .htaccess rules.", "Audit and tighten WordPress user roles to ensure that only trusted users have author or higher capabilities, and review the plugin\u2019s configuration for any remaining unrestricted actions."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Modification of Post/Page Status via the REST API"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress installations running PublishPress Future plugin version 4.9.1 or earlier. The issue applies to all WordPress sites that have the plugin installed and where users with author-level access can use the REST API. No version beyond 4.9.1 is listed as affected.", "description_and_impact": "The vulnerability in the Schedule Post Changes With PublishPress Future plugin allows authenticated authors and higher to modify post and page statuses through the REST API without proper authorization checks. This flaw enables attackers to unpublish, delete, change status, trash, or alter categories of arbitrary content, compromising data integrity.", "risk_and_exploitability": "The CVSS score of 4.3 indicates low severity, and an EPSS score of less than 1% points to a very low exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is via the authenticated REST API endpoint, requiring only author-level credentials, a common privilege in many WordPress sites. Because of these conditions, the overall risk remains low, but any exposed REST API can be a target if an attacker gains author access."}}}}, "created": "2025-11-24T09:09:54.820509+00:00", "updated": "2026-04-21T18:15:36.366272+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}