{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14172", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T22:12:02.972Z", "datePublished": "2026-01-09T11:15:34.916Z", "dateUpdated": "2026-04-08T17:20:58.464Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:58.464Z"}, "affected": [{"vendor": "infosatech", "product": "WP Page Permalink Extension", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.5.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter."}], "title": "WP Page Permalink Extension <= 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-01-21T03:25:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T21:56:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T16:50:38.330576Z", "id": "CVE-2025-14172", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T16:58:27.051Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14172", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T16:50:38.330576Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T16:58:16.032Z"}}], "cna": {"title": "WP Page Permalink Extension <= 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "infosatech", "product": "WP Page Permalink Extension", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.5.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-08T21:56:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188"}, {"url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188"}], "descriptions": [{"lang": "en", "value": "The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-09T11:15:34.916Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14172", "state": "PUBLISHED", "dateUpdated": "2026-01-09T16:58:27.051Z", "dateReserved": "2025-12-05T22:12:02.972Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T11:15:34.916Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter."}, {"lang": "es", "value": "El plugin WP Page Permalink Extension para WordPress es vulnerable a la falta de autorizaci\u00f3n en todas las versiones hasta la 1.5.4, inclusive. Esto se debe a la ausencia de comprobaciones de autorizaci\u00f3n en la funci\u00f3n `cwpp_trigger_flush_rewrite_rules` enganchada a `wp_ajax_cwpp_trigger_flush_rewrite_rules`. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, vac\u00eden las reglas de reescritura del sitio a trav\u00e9s del par\u00e1metro `action`."}], "id": "CVE-2025-14172", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T12:15:53.260", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:10:18.696172+00:00", "value": {"mitigation_remediation": ["Upgrade WP Page Permalink Extension to a version that includes the missing authorization fix (any released version above 1.5.4).", "If an upgrade is not possible, remove or deactivate the wp_ajax_cwpp_trigger_flush_rewrite_rules hook in the plugin code or add a custom snippet that prevents users below Administrator from invoking this action.", "Apply role\u2011based access controls or security plugins to block the action parameter for subscribers and lower roles, ensuring that only authorized administrators can trigger rewrite rule flushes."], "summary": {"action": "Patch or Update", "impact": "Flush Rewrite Rules via Authenticated subscriber-level access"}, "threat_synthesis": {"affected_systems": "WordPress sites using the infosatech WP Page Permalink Extension plugin, specifically all versions up to and including 1.5.4. No other vendors or products are currently documented as affected by this issue.", "description_and_impact": "The WP Page Permalink Extension plugin contains a missing authorization check on the cwpp_trigger_flush_rewrite_rules function. This function is exposed through the wp_ajax_cwpp_trigger_flush_rewrite_rules AJAX endpoint. If an authenticated user with a Subscriber role or higher accesses this endpoint and sets the action parameter, the plugin will flush all of the site's rewrite rules. Flushing the rewrite rules can abruptly disrupt site navigation, cause 404 errors, and affect the availability of content. The vulnerability is classified as CWE\u2011862, a missing authorization defect, and does not provide arbitrary code execution or privilege escalation.", "risk_and_exploitability": "The CVSS score for this issue is 6.5, indicating a moderate severity. The EPSS score is less than 1%, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker must first be authenticated and have at least Subscriber access. The attack vector is via the public AJAX endpoint, so it is a network-based attack that leverages the inherent authentication mechanism of WordPress. While exploitation does not grant the attacker higher privileges, the ability to flush rewrite rules can be used to create a denial\u2011of\u2011service condition or to set the stage for further attacks that depend on manipulating URL routing."}}}}, "created": "2026-01-09T13:23:53.098787+00:00", "updated": "2026-04-20T21:15:20.634921+00:00", "vendors": ["infosatech", "infosatech$PRODUCT$wp_page_permalink_extension", "wordpress", "wordpress$PRODUCT$wordpress"]}