Vulnerability Description
The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/i
- https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/tags/1.0.0/i
- https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includ
- https://plugins.trac.wordpress.org/browser/codeconfig-accessibility/trunk/includ
- https://plugins.trac.wordpress.org/changeset/3411529/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fe324d4d-eb52-4eeb-ad9
FAQ
What is CVE-2025-13358?
CVE-2025-13358 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to th...
How severe is CVE-2025-13358?
CVE-2025-13358 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-13358?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.