WP Page Permalink Extension

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Description

The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter.

Basic Information

ID CVE-2025-14172

Source Wordfence

Published Jan 9, 2026 at 11:15

Affected Product

Vendor infosatech

Product WP Page Permalink Extension

Version *

Affected Versions infosatech WP Page Permalink Extension *

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter.",
    "published": "2026-01-09T11:15:34.916Z",
    "modified": "2026-01-09T11:15:34.916Z",
    "type": "cve",
    "title": "WP Page Permalink Extension <= 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve\nhttps://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188\nhttps://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188",
    "id": "CVE-2025-14172",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "infosatech WP Page Permalink Extension *",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WP Page Permalink Extension",
    "version": "*",
    "vendor": "infosatech",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

WP Page Permalink Extension <= 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush_CVE-2025-14172