CVE-2025-14172
📋 TL;DR
The WP Page Permalink Extension plugin for WordPress has a missing authorization vulnerability that allows authenticated users with Subscriber-level access or higher to flush the site's rewrite rules. This can cause temporary site disruption by breaking permalinks and potentially affecting SEO. All WordPress sites using this plugin up to version 1.5.4 are affected.
💻 Affected Systems
- WP Page Permalink Extension WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could repeatedly flush rewrite rules, causing persistent site disruption, broken links, SEO damage, and potential denial of service during high-traffic periods.
Likely Case
Temporary site disruption with broken permalinks until rewrite rules are regenerated, potentially affecting user experience and causing 404 errors.
If Mitigated
Minimal impact with proper user role management and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated access but is simple via AJAX request to wp-admin/admin-ajax.php with action=cwpp_trigger_flush_rewrite_rules.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Page Permalink Extension'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin, then install fresh version 1.5.5+ from WordPress repository.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDeactivate the vulnerable plugin until patched version is available
wp plugin deactivate change-wp-page-permalinks
Restrict User Roles
allTemporarily restrict Subscriber and other low-privilege user creation
🧯 If You Can't Patch
- Deactivate the WP Page Permalink Extension plugin immediately
- Implement strict user role management and monitor for suspicious AJAX requests to admin-ajax.php
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'WP Page Permalink Extension' version 1.5.4 or lowerCheck Version:
wp plugin list --name=change-wp-page-permalinks --field=versionVerify Fix Applied:
Verify plugin version is 1.5.5 or higher in WordPress admin plugins page📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=cwpp_trigger_flush_rewrite_rules from non-admin users
- Rewrite rule flush events in WordPress debug logs
Network Indicators:
- POST requests to admin-ajax.php with the vulnerable action parameter from unexpected IPs
SIEM Query:
source="wordpress.log" AND "cwpp_trigger_flush_rewrite_rules" AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188
- https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve
