The WP Headless CMS Framework plugin for WordPress, developed by benmoody, suffers from a protection mechanism failure classified under CWE-693. Specifically, the plugin's nonce protection bypass logic is flawed because it only verifies the presence of the Authorization HTTP header to decide whether to bypass nonce validation. This simplistic check allows unauthenticated attackers to craft requests containing an Authorization header, thereby circumventing nonce protections designed to prevent unauthorized access. As a result, attackers can access content that should be restricted, leading to potential information disclosure. The vulnerability affects all versions up to and including 1.15. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No integrity or availability impacts are noted. No patches have been published yet, and no known exploits are reported in the wild. The vulnerability was reserved in early October 2025 and published in November 2025. This issue highlights the importance of robust authorization checks beyond simple header presence and proper nonce validation in WordPress plugins, especially those exposing headless CMS functionality.

The primary impact of this vulnerability is unauthorized disclosure of content that should be protected by nonce-based authorization mechanisms. Attackers can exploit this flaw remotely without authentication or user interaction, potentially accessing sensitive or restricted data hosted on WordPress sites using the vulnerable plugin. While the vulnerability does not affect data integrity or availability, unauthorized content access can lead to information leakage, privacy violations, and potential exposure of business-sensitive or user data. Organizations relying on the WP Headless CMS Framework for content delivery may face reputational damage, compliance issues, and increased risk of targeted attacks leveraging exposed information. The scope is limited to sites using this specific plugin, but given WordPress's widespread use, the number of affected sites could be significant. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits could emerge.

1. Immediately audit all WordPress sites for the presence of the WP Headless CMS Framework plugin and identify versions up to 1.15. 2. If possible, disable or uninstall the plugin until a vendor patch is released. 3. Implement web application firewall (WAF) rules to block or monitor requests containing suspicious Authorization headers that do not correspond to legitimate authentication flows. 4. Restrict access to sensitive content endpoints via IP whitelisting or additional authentication layers where feasible. 5. Monitor web server and application logs for unusual access patterns involving Authorization headers from unauthenticated sources. 6. Engage with the plugin vendor or community to obtain or develop patches that correctly validate nonce tokens without relying solely on the Authorization header presence. 7. Educate developers and administrators on secure nonce implementation and the risks of bypassing security checks based on header presence alone. 8. Regularly update WordPress core and plugins to incorporate security fixes promptly. 9. Consider deploying content access controls at the hosting or CDN level as an additional safeguard.