PT-2026-1732 · WordPress · Wp Page Permalink Extension
Abhirup Konwar
·
Published
2026-01-09
·
Updated
2026-01-09
·
CVE-2025-14172
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
WP Page Permalink Extension versions prior to 1.5.5
Description
The WP Page Permalink Extension plugin for WordPress is susceptible to a missing authorization issue. This occurs because of a lack of authorization checks within the
cwpp trigger flush rewrite rules function, which is connected to the wp ajax cwpp trigger flush rewrite rules action. Authenticated attackers with Subscriber-level access or higher can flush the site's rewrite rules by manipulating the action parameter.Recommendations
Update the WP Page Permalink Extension plugin to version 1.5.5 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Page Permalink Extension