The vulnerability identified as CVE-2025-12165 affects the Webcake – Landing Page Builder plugin for WordPress, specifically versions up to 1.1. The root cause is a missing authorization check (CWE-862) on the 'webcake_save_config' AJAX endpoint, which is responsible for saving the plugin's configuration settings. This endpoint fails to verify whether the authenticated user has sufficient privileges before allowing configuration changes. As a result, any authenticated user with at least Subscriber-level access can exploit this flaw to modify plugin settings. Since WordPress Subscriber roles typically have minimal permissions, this vulnerability significantly lowers the barrier for exploitation compared to requiring Administrator access. The attack vector is network-based (remote), with no user interaction needed beyond authentication. The vulnerability impacts the integrity of the plugin’s configuration but does not affect confidentiality or availability directly. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The CVSS 3.1 base score is 4.3, indicating medium severity due to the limited impact and the requirement for authenticated access. The vulnerability was published on December 5, 2025, with the CWE classification of CWE-862 (Missing Authorization).

For European organizations, this vulnerability poses a risk primarily to the integrity of their WordPress-based marketing and landing page infrastructure. Unauthorized modification of plugin settings could lead to altered landing page content, potentially enabling phishing, misinformation, or the injection of malicious scripts that could affect end users or damage brand reputation. While the vulnerability does not allow direct data theft or denial of service, the ability to change plugin behavior without proper authorization can facilitate further attacks or undermine trust in web properties. Organizations relying on Webcake for customer engagement or lead generation may experience operational disruptions or reputational harm if attackers exploit this flaw. Given the widespread use of WordPress in Europe, especially among SMEs and digital marketing agencies, the potential impact is significant in sectors where landing page integrity is critical. The requirement for authenticated access limits exposure but does not eliminate risk, as Subscriber accounts are commonly created or compromised in many environments.

European organizations should immediately audit their WordPress installations to identify the presence of the Webcake – Landing Page Builder plugin, particularly versions up to 1.1. Since no official patch is currently available, temporary mitigations include restricting Subscriber-level user creation and access, implementing strict user role management, and monitoring for unusual configuration changes in the plugin. Web application firewalls (WAFs) can be configured to block unauthorized AJAX requests to the 'webcake_save_config' endpoint from low-privilege users. Additionally, organizations should enforce multi-factor authentication (MFA) for all authenticated users to reduce the risk of account compromise. Regularly reviewing user accounts and permissions, combined with logging and alerting on configuration changes, will help detect exploitation attempts. Once a patch is released, prompt application of updates is critical. Security teams should also educate site administrators about the risks of granting unnecessary permissions to users and encourage the use of least privilege principles.