CVE-2025-14172

MEDIUM

WP Page Permalink Extension <1.5.4 - Auth Bypass

Title source: llm

Description

The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter.

Exploits (1)

nomisec SCANNER

by RootHarpy · poc

https://github.com/RootHarpy/CVE-2025-14172-Nuclei-Template

View Code ZIP pw:eip

References (3)

[Product] https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188

[Product] https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 4.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Details

CWE

CWE-862

Status published

Products (1)

infosatech/WP Page Permalink Extension < 1.5.4

Published Jan 09, 2026

Tracked Since Feb 18, 2026