Login Sign Up

CVE-2025-12639

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

The wModes WordPress plugin has an authorization bypass vulnerability that allows authenticated users with subscriber-level access or higher to access sensitive information via AJAX endpoints. This affects all WordPress sites using vulnerable plugin versions, potentially exposing user data and WooCommerce information.

💻 Affected Systems

Products:
  • wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions WordPress plugin
Versions: All versions up to and including 1.2.2
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin enabled. WooCommerce integration increases data exposure.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract all user data including emails, usernames, roles, and WooCommerce product/payment information, leading to data breach and potential credential harvesting.

🟠

Likely Case

Authenticated attackers with minimal privileges extract user email addresses and usernames for phishing campaigns or credential stuffing attacks.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to logged activity detection and minimal data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but only subscriber-level privileges. Simple HTTP requests to AJAX endpoints can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.3 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3392651/catalog-mode-pricing-enquiry-forms-promotions/trunk

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoints

linux

Temporarily block access to the vulnerable AJAX endpoints via .htaccess or web server configuration

# Add to .htaccess:
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=reon_ajax
RewriteRule ^ - [F]

🧯 If You Can't Patch

  • Disable the wModes plugin completely until patched
  • Implement strict access controls and monitor AJAX endpoint access logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for wModes plugin version 1.2.2 or earlier

Check Version:

wp plugin list --name='wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions' --field=version

Verify Fix Applied:

Verify plugin version is 1.2.3 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /wp-admin/admin-ajax.php with 'action=reon_ajax' parameter from single user accounts
  • Unusual data extraction patterns from AJAX endpoints

Network Indicators:

  • HTTP POST requests to admin-ajax.php with reon_ajax action from non-admin users

SIEM Query:

source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=reon_ajax*" AND user_agent NOT LIKE "%wp-admin%"

📊 Metadata

CVE ID: CVE-2025-12639
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-862
EPSS Score: 0.04% exploit probability (12.7th percentile)
Published: November 18, 2025
Last Updated: November 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12639, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)