Accessiy By CodeConfig Accessibility

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action.

Basic Information

ID CVE-2025-13358

Source Wordfence

Published Dec 6, 2025 at 05:49

Affected Product

Vendor codeconfig

Product CodeConfig Accessibility

Version *

Affected Versions codeconfig CodeConfig Accessibility *

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action.",
    "published": "2025-12-06T05:49:36.406Z",
    "modified": "2025-12-06T05:49:36.406Z",
    "type": "cve",
    "title": "Accessiy By CodeConfig Accessibility <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe324d4d-eb52-4eeb-ad91-072a6e84d9ba?source=cve\nhttps://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax/Settings.php#L96\nhttps://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax/Settings.php#L96\nhttps://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/includes/Ajax.php#L24\nhttps://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includes/Ajax.php#L24",
    "id": "CVE-2025-13358",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "codeconfig CodeConfig Accessibility *",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CodeConfig Accessibility",
    "version": "*",
    "vendor": "codeconfig",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Accessiy By CodeConfig Accessibility <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation_CVE-2025-13358