CVE-2025-12129 is an information exposure vulnerability identified in the CubeWP – All-in-One Dynamic Content Framework plugin for WordPress, affecting all versions up to and including 1.1.27. The vulnerability arises from insufficient access control on two REST API endpoints: /cubewp-posts/v1/query-new and /cubewp-posts/v1/query. These endpoints allow unauthenticated users to query posts without proper restrictions, enabling attackers to access data from posts that are password protected, private, or in draft status. This bypasses WordPress's intended content visibility rules, exposing sensitive information to unauthorized actors. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No known exploits have been reported in the wild as of now. The root cause is the plugin’s failure to enforce proper permission checks on REST API queries, which is critical given the widespread use of REST APIs in WordPress plugins. This flaw can be exploited remotely by any unauthenticated attacker, making it a significant privacy risk for websites using this plugin. The vulnerability highlights the importance of strict access control enforcement on API endpoints that expose content data.

The primary impact of CVE-2025-12129 is unauthorized disclosure of sensitive content from WordPress sites using the CubeWP Framework plugin. Attackers can access password-protected, private, or draft posts without authentication, potentially exposing confidential business information, unpublished content, or personal data. This can lead to privacy violations, reputational damage, and loss of trust for affected organizations. Although the vulnerability does not allow modification or deletion of content, the confidentiality breach alone can have serious consequences, especially for sites handling sensitive or proprietary information. The ease of exploitation (no authentication or user interaction required) increases the risk of automated scanning and data harvesting attacks. Organizations relying on CubeWP for dynamic content delivery may face compliance issues if sensitive data is exposed. The scope includes all sites running vulnerable versions of CubeWP, which could be significant given WordPress’s global market share and CubeWP’s adoption in dynamic content management. While no active exploitation is reported, the vulnerability’s presence in public CVE databases may prompt attackers to develop exploits.

To mitigate CVE-2025-12129, organizations should immediately update the CubeWP Framework plugin to a patched version once released by the vendor. Until a patch is available, administrators should restrict access to the vulnerable REST API endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to /cubewp-posts/v1/query-new and /cubewp-posts/v1/query. Additionally, disabling the CubeWP REST API endpoints entirely if not required can reduce exposure. Site owners should audit their WordPress REST API permissions and ensure that sensitive content is not accessible via API calls without proper authentication and authorization checks. Monitoring web server logs for unusual access patterns to these endpoints can help detect exploitation attempts. Employing principle of least privilege for plugin permissions and regularly reviewing plugin security advisories are recommended. Finally, consider isolating sensitive content or using alternative plugins with stronger access controls if CubeWP cannot be immediately updated.