CVE-2025-12165 identifies a missing authorization vulnerability (CWE-862) in the Webcake – Landing Page Builder plugin for WordPress, affecting all versions up to and including 1.1. The vulnerability exists because the plugin's AJAX endpoint 'webcake_save_config' does not perform adequate capability checks to verify if the requesting user has permission to modify plugin settings. As a result, any authenticated user with at least Subscriber-level privileges can send crafted AJAX requests to alter the plugin's configuration without proper authorization. This flaw undermines the integrity of the plugin's settings, potentially allowing attackers to manipulate landing page behavior or configurations in unintended ways. The vulnerability is exploitable remotely over the network without requiring user interaction, increasing its risk profile. However, it does not expose confidential data nor does it affect system availability. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the limited impact scope focused on integrity with low complexity and low privileges required. No public exploits or patches are currently available, but the vulnerability has been officially published and reserved in the CVE database. The issue highlights the importance of implementing strict capability checks on all AJAX endpoints in WordPress plugins to prevent unauthorized configuration changes.

The primary impact of this vulnerability is the unauthorized modification of plugin settings by low-privileged authenticated users. This can lead to altered landing page configurations, potentially affecting website behavior, user experience, or marketing campaigns. While it does not directly expose sensitive data or cause denial of service, unauthorized changes could be leveraged as part of a broader attack chain, such as injecting malicious content or redirecting users to malicious sites if the plugin controls such functionality. Organizations relying on this plugin for critical marketing or customer engagement functions may experience reputational damage or loss of trust if attackers manipulate landing pages. The vulnerability's requirement for authenticated access limits exposure to environments where user registration is open or where attackers have compromised low-level accounts. Nonetheless, given WordPress's widespread use and the plugin's presence, the vulnerability poses a moderate risk to many websites globally.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from the plugin vendor once available. In the absence of patches, administrators should restrict user roles and permissions to minimize the number of users with Subscriber-level or higher access, especially on sites where the plugin is installed. Implementing web application firewalls (WAFs) with rules to detect and block unauthorized AJAX requests targeting 'webcake_save_config' can help reduce exploitation risk. Additionally, monitoring plugin configuration changes and auditing user activities can provide early detection of unauthorized modifications. Developers maintaining the plugin should add strict capability checks to the AJAX endpoint to verify user permissions before processing requests. Finally, consider disabling or removing the plugin if it is not essential to reduce the attack surface.