PT-2025-47710 · WordPress · Schedule Post Changes With Publishpress Future: Unpublish+1
Athiwat Tiprasaharn
·
Published
2025-11-21
·
Updated
2025-11-21
·
CVE-2025-13149
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress versions through 4.9.1
Description
The Schedule Post Changes With PublishPress Future plugin for WordPress has a flaw that allows unauthorized data modification. This is due to a missing authorization check within the
saveFutureActionData() function. Authenticated attackers with author-level access or higher can alter the status of any post or page using the REST API endpoint. The vulnerability allows modification of posts and pages via the ''/wp-json/publishpress/v1/future-action'' API endpoint. The post id variable is used to specify the target post or page.Recommendations
Update the Schedule Post Changes With PublishPress Future plugin to a version later than 4.9.1.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Publishpress Future
Schedule Post Changes With Publishpress Future: Unpublish