Post Expirator < 4.9.4 – Missing Authorization | CVE 2025-69361 | Plugin Vulnerabilities

Description

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.9.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

Affects Plugins

Fixed in 4.9.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/06ac994a-1f49-4c7f-ba76-054deaf25c51

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Bao - BlueRock

Verified

No

WPVDB ID

286e497f-88d7-445d-8bc5-30cea418faa8

Timeline

Publicly Published

2026-01-11 (about 4 months ago)

Added

2026-01-14 (about 3 months ago)

Last Updated

2026-01-14 (about 3 months ago)

Other

Published

Title

Published

2025-10-13

Title

SureForms – Drag and Drop Form Builder for WordPress < 1.12.2 - Missing Authorization to Authenticated (Contributor+) Information Disclosure

Published

2025-12-12

Title

Trinity Audio < 5.24 - Missing Authorization

Published

2026-01-16

Title

Peach Payments Gateway < 3.3.7 - Missing Authorization

Published

2025-04-04

Title

Easy WP Optimizer <= 1.1.0 - Missing Authorization

Published

2024-08-29

Title

Tutor LMS Pro < 2.7.3 - Missing Authorization to Authenticated (Subscriber+) Insecure Direct Object Reference