CVE-2025-12372
📋 TL;DR
The Permalinks Cascade WordPress plugin has a missing authorization vulnerability that allows authenticated users with subscriber-level access or higher to perform administrative actions without proper permissions. Attackers can modify plugin settings like automatic pinging and page exclusions. All WordPress sites using this plugin up to version 2.2 are affected.
💻 Affected Systems
- Permalinks Cascade WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable critical SEO functionality, modify site structure settings, or potentially chain with other vulnerabilities to gain full administrative control.
Likely Case
Malicious users could disrupt SEO operations by disabling automatic pinging or modifying page exclusion settings, potentially affecting search engine visibility.
If Mitigated
With proper access controls and monitoring, impact is limited to minor configuration changes that can be detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access (subscriber or higher). The vulnerability is in a specific AJAX handler function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Permalinks Cascade plugin. 4. Click 'Update Now' if available, or manually update to version 2.3+. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable handleTPCAdminAjaxRequest function
Edit wp-content/plugins/the-permalinks-cascade/admin/admin-controller.class.php and comment out or remove lines 109-130
Restrict user roles
allTemporarily limit subscriber-level access or review user permissions
Use WordPress role management plugins or custom code to restrict subscriber capabilities
🧯 If You Can't Patch
- Deactivate the Permalinks Cascade plugin entirely until patched
- Implement strict monitoring of AJAX requests to /wp-admin/admin-ajax.php for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Permalinks Cascade. If version is 2.2 or lower, you are vulnerable.Check Version:
wp plugin list --name=permalinks-cascade --field=version (if WP-CLI installed) or check WordPress admin interfaceVerify Fix Applied:
Verify plugin version is 2.3 or higher in WordPress admin panel. Test that only administrators can modify plugin settings.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to admin-ajax.php with action=tpc_admin_ajax from non-admin users
- Changes to permalinks_cascade_settings option from non-admin users
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action parameter containing 'tpc_admin_ajax' from unauthorized IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "tpc_admin_ajax" AND NOT user_role="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/the-permalinks-cascade/tags/2.2/admin/admin-controller.class.php#L109
- https://plugins.trac.wordpress.org/browser/the-permalinks-cascade/tags/2.2/includes/core.class.php#L36
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c08d420d-d521-4215-9ef7-b5d1c44a19d3?source=cve
