CVE-2024-12825 is a vulnerability identified in the Custom Related Posts plugin for WordPress, maintained by brechtvds, affecting all versions up to and including 1.7.3. The root cause is a missing authorization (CWE-862) on three AJAX endpoints that handle searching posts and linking or unlinking related posts. These AJAX actions lack proper capability checks, allowing any authenticated user with at least Subscriber-level privileges to perform unauthorized operations. Specifically, attackers can search for posts and modify relationships between posts, actions normally restricted to higher privilege roles. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (AV:N). The CVSS 3.1 base score is 5.4, reflecting low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), and limited impact on confidentiality and integrity (C:L/I:L) but no impact on availability (A:N). Although no public exploits have been reported, the flaw presents a risk in environments where low-privileged users exist, such as multi-user WordPress sites or shared hosting. The absence of patches at the time of reporting means mitigation relies on access control or plugin updates when available. This vulnerability highlights the importance of enforcing capability checks on all AJAX actions in WordPress plugins to prevent privilege escalation or unauthorized data manipulation.

The vulnerability allows authenticated users with minimal privileges (Subscriber-level) to bypass intended authorization controls and modify post relationships, potentially leading to unauthorized content manipulation. This can undermine data integrity by allowing unauthorized changes to related post links, which may affect site content presentation and user experience. Confidentiality impact is limited but present, as attackers can search posts they might not otherwise access. Availability is unaffected. For organizations, this could lead to content tampering, misinformation, or reputational damage if attackers manipulate related posts to mislead visitors. In multi-user or multi-tenant WordPress environments, the risk is higher due to the presence of multiple authenticated users with varying trust levels. Although no known exploits exist currently, the vulnerability could be leveraged in targeted attacks or combined with other flaws to escalate privileges or conduct further compromise.

Organizations should immediately review user roles and restrict Subscriber-level accounts to trusted users only. Implement strict access controls and monitor AJAX requests to detect unusual activity related to post searching and linking. Disable or remove the Custom Related Posts plugin if not essential until a patch is released. If plugin updates become available, apply them promptly to enforce proper capability checks. Consider using Web Application Firewalls (WAFs) to block unauthorized AJAX calls targeting the vulnerable endpoints. Additionally, audit WordPress plugins for similar missing authorization issues and enforce a policy of least privilege for all authenticated users. Regularly monitor logs for suspicious modifications to post relationships and conduct security assessments on WordPress installations to identify and remediate similar vulnerabilities.