CVE-2025-12681
📋 TL;DR
The Comment Edit Core plugin for WordPress exposes sensitive user data including email addresses, IPs, and user IDs through an unauthenticated AJAX endpoint. All WordPress sites using this plugin up to version 3.1.0 are affected. Attackers can harvest this information without any authentication.
💻 Affected Systems
- Comment Edit Core – Simple Comment Editing WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach exposing all commenter PII leading to targeted phishing, credential stuffing attacks, and privacy violations.
Likely Case
Attackers harvest email addresses and user data for spam campaigns, credential stuffing, and targeted attacks.
If Mitigated
Limited exposure if plugin is disabled or patched quickly, but any exposed data remains compromised.
🎯 Exploit Status
Simple HTTP request to the vulnerable AJAX endpoint. Proof of concept is publicly available in the references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3392054/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Comment Edit Core – Simple Comment Editing'. 4. Click 'Update Now' if available, or manually update to version 3.1.1. 5. Verify plugin is active on version 3.1.1.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate simple-comment-editing
Block AJAX endpoint
linuxAdd web application firewall rule to block access to vulnerable endpoint
# Add to .htaccess for Apache:
RewriteRule ^wp-admin/admin-ajax\.php\?action=ajax_get_comment - [F,L]
🧯 If You Can't Patch
- Disable the Comment Edit Core plugin immediately
- Implement web application firewall rules to block access to the vulnerable AJAX endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version: Navigate to Plugins → Installed Plugins and verify 'Comment Edit Core – Simple Comment Editing' version is 3.1.0 or lower.Check Version:
wp plugin get simple-comment-editing --field=versionVerify Fix Applied:
Confirm plugin version is 3.1.1 or higher in WordPress admin panel under Plugins → Installed Plugins.📡 Detection & Monitoring
Log Indicators:
- Multiple requests to /wp-admin/admin-ajax.php with action=ajax_get_comment parameter
- Unusual traffic patterns to AJAX endpoints from unauthenticated users
Network Indicators:
- HTTP GET requests to WordPress AJAX endpoint with ajax_get_comment action parameter
SIEM Query:
source="wordpress.log" AND uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=ajax_get_comment*"