WordPress Plugin Vulnerabilities

Post Type Switcher < 4.0.1 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change

Description

The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact.

Affects Plugins

Plugin icon
post-type-switcher
Fixed in 4.0.1

References

CVE
CVE-2025-12524
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d875514c-c7d3-4236-842b-6e772048448d

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
fb339dc7-e45d-4df2-b103-6a5f5458f368

Timeline

Publicly Published
2025-11-17 (about 5 months ago)
Added
2025-11-17 (about 5 months ago)
Last Updated
2025-11-18 (about 5 months ago)

Other

Published
Title
Published
2024-04-22
Title
BuddyBoss platform < 2.7.60 - Private Comment Exposure via IDOR
Published
2026-04-27
Title
Booking Package < 1.7.07 - Unauthenticated Price Manipulation via 'amount' Parameter
Published
2025-02-23
Title
Filebird < 6.4.6 - Authenticated (Author+) Insecure Direct Object Reference
Published
2026-01-02
Title
Roam <= 2.1.1 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-11-20
Title
If-So Dynamic Content Personalization < 1.9.2.2 - Authenticated (Contributor+) Post Disclosure