Vulnerability Description
The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old
- https://wordpress.org/plugins/the-total-book-project/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b473fd-2444-4a54-b55
FAQ
What is CVE-2025-12126?
CVE-2025-12126 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user co...
How severe is CVE-2025-12126?
CVE-2025-12126 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-12126?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.