{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13529", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-21T20:16:12.024Z", "datePublished": "2026-01-07T08:21:53.677Z", "dateUpdated": "2026-04-08T17:17:19.122Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:19.122Z"}, "affected": [{"vendor": "codeclouds", "product": "Unify", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter."}], "title": "Unify <= 3.4.9 - Missing Authorization to Unauthenticated Option Deletion via 'unify_plugin_downgrade' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd4a47-0549-4d03-b81a-ad97d3d5d390?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/unify/tags/3.4.9/Services/Hooks.php#L154"}, {"url": "https://plugins.trac.wordpress.org/changeset/3447706/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-01-06T19:46:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T16:29:40.335929Z", "id": "CVE-2025-13529", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:29:48.767Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T16:29:40.335929Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T16:29:43.710Z"}}], "cna": {"title": "Unify <= 3.4.9 - Missing Authorization to Unauthenticated Option Deletion via 'unify_plugin_downgrade' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "codeclouds", "product": "Unify", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.4.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-06T19:46:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd4a47-0549-4d03-b81a-ad97d3d5d390?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/unify/tags/3.4.9/Services/Hooks.php#L154"}, {"url": "https://plugins.trac.wordpress.org/changeset/3447706/"}], "descriptions": [{"lang": "en", "value": "The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:19.122Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13529", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:19.122Z", "dateReserved": "2025-11-21T20:16:12.024Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-07T08:21:53.677Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter."}, {"lang": "es", "value": "El plugin Unify para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la acci\u00f3n 'init' en todas las versiones hasta la 3.4.9, inclusive. Esto hace posible que atacantes no autenticados eliminen opciones espec\u00edficas del plugin a trav\u00e9s del par\u00e1metro 'unify_plugin_downgrade'."}], "id": "CVE-2025-13529", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-07T12:16:49.083", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/unify/tags/3.4.9/Services/Hooks.php#L154"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3447706/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5fd4a47-0549-4d03-b81a-ad97d3d5d390?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:34:26.755848+00:00", "value": {"mitigation_remediation": ["Upgrade the Unify plugin to the latest available version, which includes the authorization check.", "If an upgrade is not immediately possible, deactivate or uninstall the Unify plugin to eliminate the vulnerability.", "Configure a Web Application Firewall or similar rule to block or sanitize any request containing the unify_plugin_downgrade parameter."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Option Deletion"}, "threat_synthesis": {"affected_systems": "This issue affects any WordPress site running the Unify plugin version 3.4.9 or earlier, as distributed by CodeClouds. No other products or versions are listed as impacted.", "description_and_impact": "The Unify plugin for WordPress fails to enforce a capability check on the init action in all releases up to and including 3.4.9, allowing an unauthenticated user to specify the unify_plugin_downgrade parameter and delete arbitrary plugin options. This missing authorization flaw (CWE\u2011862) can compromise the configuration and stability of the site, potentially leading to service disruption or defacement.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not included in CISA KEV. Attackers would need only to reach a public endpoint on the target WordPress installation and craft an HTTP request containing the unify_plugin_downgrade parameter; the absence of user authentication makes the attack vector straightforward but requires the site to be reachable."}}}}, "created": "2026-01-08T09:49:29.817768+00:00", "updated": "2026-04-21T00:45:23.089234+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}