WordPress Plugin Vulnerabilities

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories < 4.9.2 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification

Description

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the "saveFutureActionData" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint.

Affects Plugins

Plugin icon
post-expirator
Fixed in 4.9.2

References

CVE
CVE-2025-13149
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/82ea0ebc-08aa-4ef5-b6b1-c7c13715ef6d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
e8732a62-7a06-47be-8f22-04c5e96de973

Timeline

Publicly Published
2025-11-20 (about 5 months ago)
Added
2025-11-20 (about 5 months ago)
Last Updated
2025-11-21 (about 5 months ago)

Other

Published
Title
Published
2023-11-23
Title
Awesome Support < 6.1.5 - Missing Authorization via wpas_edit_reply_ajax()
Published
2026-01-25
Title
Automatic Featured Images from Videos < 1.2.8 - Missing Authorization
Published
2025-06-05
Title
WP-CRM System < 3.4.3 - Missing Authorization
Published
2024-11-15
Title
Customer Reviews for WooCommerce < 5.62.0 - Missing Authorization to Authenticated (Subscriber+) Import Cancellation
Published
2025-06-12
Title
Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal < 16.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read