CVE-2025-12168 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Phrase TMS Integration for WordPress plugin, which integrates translation management system capabilities into WordPress sites. The issue exists in all versions up to and including 4.7.5, where the AJAX endpoint 'wp_ajax_delete_log' lacks proper capability checks. This endpoint allows deletion of log files, but due to missing authorization validation, any authenticated user with at least Subscriber-level privileges can invoke this endpoint to delete logs. Since WordPress Subscriber roles are typically assigned to low-privilege users, this vulnerability significantly lowers the barrier for unauthorized modification of log data. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The impact is limited to integrity, as attackers cannot read or disrupt service but can erase logs, potentially covering tracks or disrupting audit trails. The CVSS 3.1 base score is 4.3, reflecting network attack vector, low complexity, low privileges required, no user interaction, and limited impact on integrity only. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. The vulnerability was assigned and published by Wordfence and reserved in late 2025.

The primary impact of this vulnerability is unauthorized modification of log files, which can undermine the integrity of audit trails and forensic data. Attackers with Subscriber-level access can delete logs that might otherwise reveal malicious activities, making detection and incident response more difficult. While the vulnerability does not directly compromise confidentiality or availability, the ability to erase logs can facilitate persistent attacks or cover unauthorized actions. Organizations relying on the Phrase TMS Integration plugin for translation management may face increased risk of undetected insider threats or external attackers who have gained low-level access. This can affect compliance with regulatory requirements for logging and monitoring. The scope includes any WordPress site using the vulnerable plugin version, which could be widespread given WordPress’s global popularity. The ease of exploitation is relatively high since only authenticated access at a low privilege level is required, and no user interaction is needed beyond login.

To mitigate this vulnerability, organizations should immediately restrict access to the 'wp_ajax_delete_log' AJAX endpoint by implementing proper capability checks that ensure only authorized roles (e.g., administrators) can invoke log deletion functions. If possible, update or patch the Phrase TMS Integration plugin once an official fix is released. In the interim, consider disabling or restricting the plugin’s log deletion features via custom code or security plugins that enforce role-based access control. Monitor user activities and audit logs for suspicious deletion attempts or unusual behavior by low-privilege users. Employ WordPress security best practices such as limiting user roles and permissions, enforcing strong authentication mechanisms, and maintaining regular backups of log files to enable recovery. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized AJAX requests targeting this endpoint. Regularly review plugin security advisories and subscribe to threat intelligence feeds for updates on this vulnerability.