CVE-2025-12165 identifies a missing authorization vulnerability (CWE-862) in the Webcake – Landing Page Builder plugin for WordPress, specifically in the 'webcake_save_config' AJAX endpoint. This endpoint lacks proper capability checks, allowing authenticated users with Subscriber-level access or above to modify plugin settings without appropriate permissions. The vulnerability affects all versions up to and including 1.1. The flaw arises because the plugin fails to verify whether the requesting user has the necessary privileges before processing configuration changes, violating the principle of least privilege. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based (remote), requires low privileges (authenticated user), no user interaction is needed, and the impact is limited to integrity (unauthorized modification of plugin settings) without affecting confidentiality or availability. There are no known exploits in the wild, and no patches have been published at the time of disclosure. This vulnerability could be leveraged by malicious insiders or compromised low-privilege accounts to alter landing page configurations, potentially redirecting traffic, injecting malicious content, or disrupting marketing campaigns. Since WordPress is widely used across Europe, and this plugin is designed for landing page creation, the risk is relevant for organizations relying on it for web marketing and customer engagement.

For European organizations, the primary impact of CVE-2025-12165 lies in the unauthorized modification of landing page configurations, which can undermine the integrity of web content and marketing efforts. Attackers with Subscriber-level access could alter plugin settings to redirect visitors to malicious sites, inject fraudulent content, or disrupt legitimate campaigns, potentially damaging brand reputation and customer trust. While the vulnerability does not directly expose sensitive data or cause service outages, the indirect consequences include phishing risks, loss of customer confidence, and potential regulatory scrutiny under data protection laws if customer interactions are compromised. Organizations with large WordPress deployments and multiple user roles are particularly at risk, as the attack surface includes any authenticated user with minimal privileges. The absence of known exploits reduces immediate risk, but the ease of exploitation once an attacker gains low-level access makes timely mitigation critical. Additionally, the vulnerability could be chained with other weaknesses to escalate attacks.

To mitigate CVE-2025-12165, European organizations should implement the following specific measures: 1) Immediately audit all WordPress sites using the Webcake – Landing Page Builder plugin to identify affected versions (up to 1.1). 2) Restrict user roles and permissions rigorously, ensuring that Subscriber-level accounts are limited and monitored, and consider temporarily disabling or removing unnecessary Subscriber accounts. 3) Monitor and log all AJAX requests to the 'webcake_save_config' endpoint to detect unauthorized modification attempts. 4) Apply patches or updates from the vendor as soon as they become available; if no patch exists, consider disabling the plugin or replacing it with a secure alternative. 5) Implement Web Application Firewall (WAF) rules to restrict access to the vulnerable AJAX endpoint to authorized users only. 6) Educate site administrators about the risk and encourage strong authentication practices to reduce the likelihood of account compromise. 7) Conduct regular security reviews of WordPress plugins and their permission models to prevent similar issues.