WordPress Plugin Vulnerabilities

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories < 4.9.4 - Missing Authorization to Authenticated (Contributor+) Workflow Manipulation

Description

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators.

Affects Plugins

Plugin icon
post-expirator
Fixed in 4.9.4

References

CVE
CVE-2025-14718
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8198d81a-40c0-49c1-8c38-f5ef6fb911ad

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
cdbcd849-7bf8-4a10-8864-59972ac56132

Timeline

Publicly Published
2026-01-08 (about 4 months ago)
Added
2026-01-08 (about 4 months ago)
Last Updated
2026-01-09 (about 4 months ago)

Other

Published
Title
Published
2025-12-14
Title
CMSMasters Content Composer < 2.5.9 - Missing Authorization
Published
2024-12-11
Title
New User Approve < 2.6.4 - Missing Authorization
Published
2024-04-25
Title
Piotnet Addons For Elementor Pro <= 7.1.17 - Missing Authorization to Arbitrary Post/Page Deletion
Published
2025-11-05
Title
Better Find and Replace < 1.7.8 - Missing Authorization
Published
2024-10-27
Title
Contact Form 7 + Telegram < 0.8.6 - Missing Authorization to Authenticated (Subscriber+) Subscription Approve/Pause/Refuse