CVE-2025-12582
📋 TL;DR
The Features plugin for WordPress has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to revert plugin options without proper permission checks. This affects all WordPress sites using the Features plugin version 0.0.2 or earlier. Attackers can modify plugin settings they shouldn't have access to.
💻 Affected Systems
- WordPress Features plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could revert critical plugin settings to default values, potentially disabling security features, changing site behavior, or causing service disruption.
Likely Case
Attackers modify plugin configuration settings, potentially changing site functionality or disabling features without authorization.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized configuration changes that can be detected and reverted.
🎯 Exploit Status
Exploitation requires authenticated access but is simple once authenticated. The vulnerability is in a publicly accessible AJAX endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 0.0.2
Vendor Advisory: https://wordpress.org/plugins/features/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Go to Plugins → Installed Plugins
3. Find 'Features' plugin
4. Click 'Update Now' if update available
5. If no update available, deactivate and delete the plugin
🔧 Temporary Workarounds
Disable AJAX endpoint via .htaccess
linuxBlock access to the vulnerable AJAX endpoint
# Add to .htaccess in WordPress root directory
<Files "admin-ajax.php">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
Remove Subscriber role AJAX access
allRemove AJAX capabilities from Subscriber role users
// Add to theme's functions.php or custom plugin
add_filter('wp_ajax_features_revert_option', function() {
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}
});
🧯 If You Can't Patch
- Temporarily deactivate the Features plugin until patched
- Implement strict user role management and monitor for unauthorized configuration changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Features plugin version 0.0.2 or earlierCheck Version:
wp plugin list --name=features --field=versionVerify Fix Applied:
Verify Features plugin version is higher than 0.0.2 or plugin is removed📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=features_revert_option from non-admin users
- Unauthorized AJAX requests in WordPress debug logs
Network Indicators:
- HTTP POST requests to admin-ajax.php with features_revert_option parameter
SIEM Query:
source="wordpress.logs" action="features_revert_option" AND user_role!="administrator"