CVE-2025-12027 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Mesmerize Companion plugin for WordPress, specifically in all versions up to 1.6.158. The issue arises because the plugin fails to perform proper capability checks in the functions openPageInCustomizer and openPageInDefaultEditor. These functions are responsible for enabling page editing features such as marking pages as maintainable, wrapping content in custom sections, changing page template metadata, and toggling the default editor flag. The lack of authorization checks means that any authenticated user with subscriber-level access or higher can exploit these functions to modify page content and metadata without the necessary permissions. This can lead to unauthorized content changes that may affect the integrity of the website’s content and presentation. The vulnerability is remotely exploitable over the network (AV:N), requires low privileges (PR:L), does not require user interaction (UI:N), and affects the integrity of the system (I:L) but not confidentiality or availability. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. No patches have been released at the time of reporting, and no known exploits are currently in the wild. The vulnerability is relevant to websites using the Mesmerize theme with the Mesmerize Companion plugin installed, which is a popular theme/plugin combination for WordPress sites focusing on customizable page layouts.

For European organizations, this vulnerability poses a risk primarily to the integrity of website content and metadata. Unauthorized modifications could lead to misinformation, defacement, or unauthorized content injection, potentially damaging brand reputation and user trust. Although the vulnerability does not directly expose confidential data or cause denial of service, the ability to alter page templates and content could be leveraged for phishing, misinformation campaigns, or to facilitate further attacks such as privilege escalation or malware distribution. Organizations relying on WordPress sites with the Mesmerize theme and plugin are at risk, especially those with subscriber-level user registrations or other low-privilege user roles that could be compromised or misused. The impact is more pronounced for public-facing websites, e-commerce platforms, and government or critical infrastructure sites where content integrity is crucial. Given the medium CVSS score and the requirement for authenticated access, the threat is moderate but should not be underestimated in environments with many low-privilege users.

European organizations should immediately audit their WordPress installations to identify the presence of the Mesmerize Companion plugin and the Mesmerize theme. Until an official patch is released, administrators should restrict subscriber-level user capabilities to the minimum necessary, potentially disabling or limiting page editing features for low-privilege users. Implementing strict user role management and monitoring for unusual page modifications can help detect exploitation attempts. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable functions. Regularly review user accounts and remove or disable inactive or suspicious accounts to reduce the attack surface. Organizations should also subscribe to vendor and security mailing lists to receive timely updates and apply patches as soon as they become available. Consider deploying integrity monitoring tools to alert on unauthorized changes to page content and metadata. Finally, educate content managers and administrators about this vulnerability and the importance of access control hygiene.