CVE-2025-12350 is a vulnerability identified in the DominoKit plugin for WordPress, tracked under CWE-862 (Missing Authorization). The issue arises because the plugin fails to perform proper capability checks on the AJAX endpoint wp_ajax_nopriv_dominokit_option_admin_action, which is accessible without authentication. This endpoint is intended for administrative actions related to plugin settings, but due to the missing authorization, any unauthenticated user can invoke it and modify plugin configurations. The vulnerability affects all versions up to and including 1.1.0 of DominoKit. The CVSS 3.1 base score is 5.3, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact is limited to integrity, as confidentiality and availability are not directly affected. No known exploits have been reported in the wild, and no official patches have been published yet. The vulnerability could be leveraged by attackers to alter plugin behavior, potentially facilitating further attacks such as privilege escalation, persistent backdoors, or disruption of site functionality. The lack of authentication requirement makes this vulnerability particularly concerning for publicly accessible WordPress sites using DominoKit.

For European organizations, this vulnerability poses a risk of unauthorized configuration changes in WordPress sites using the DominoKit plugin. Such unauthorized changes could undermine the integrity of the website, potentially leading to further exploitation such as privilege escalation, data manipulation, or site defacement. Organizations relying on WordPress for critical business functions or customer-facing portals could face reputational damage and operational disruption. Since the vulnerability does not directly impact confidentiality or availability, the immediate risk is moderate; however, the ease of exploitation without authentication increases the threat surface. Attackers could leverage this flaw as a foothold for more sophisticated attacks. European entities with strict data protection regulations (e.g., GDPR) must consider the indirect risks of unauthorized access and potential data integrity issues. The absence of known exploits provides a window for proactive mitigation before widespread exploitation occurs.

1. Immediately audit WordPress sites for the presence of the DominoKit plugin and identify versions up to 1.1.0. 2. Disable the DominoKit plugin temporarily if it is not critical to operations until a patch is available. 3. Implement web application firewall (WAF) rules to block access to the wp_ajax_nopriv_dominokit_option_admin_action endpoint from unauthenticated sources. 4. If disabling the plugin is not feasible, apply custom code to enforce capability checks on the vulnerable AJAX endpoint, ensuring only authorized users can invoke it. 5. Monitor web server and WordPress logs for suspicious POST requests targeting the vulnerable endpoint. 6. Stay updated with vendor announcements for official patches and apply them promptly once released. 7. Conduct regular security assessments of WordPress plugins and endpoints to detect missing authorization issues proactively. 8. Educate site administrators about the risks of unauthorized plugin access and the importance of timely updates.