CVE-2025-12372 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin 'The Permalinks Cascade' developed by _luigi. The issue exists in all versions up to and including 2.2 due to the plugin's failure to properly verify user authorization within the handleTPCAdminAjaxRequest function. This function handles AJAX requests for administrative actions related to the plugin's features. Because of the missing authorization checks, any authenticated user with subscriber-level privileges or higher can invoke this function to perform administrative operations that should be restricted, such as enabling or disabling automatic pinging and modifying page exclusion settings. These unauthorized changes can alter the behavior of the plugin, potentially affecting SEO-related functionalities and site indexing. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low impact on confidentiality and availability but a partial impact on integrity. No patches or known exploits are currently available, indicating the need for proactive mitigation. The vulnerability highlights a common security flaw where authorization checks are insufficiently enforced, allowing privilege escalation within the plugin's scope.

For European organizations, this vulnerability poses a risk primarily to the integrity of website configurations managed via the Permalinks Cascade plugin. Unauthorized modifications to pinging and page exclusion settings can disrupt SEO strategies, affect search engine indexing, and potentially degrade website visibility and traffic. While the vulnerability does not directly expose sensitive data or cause denial of service, the ability for low-privilege users to alter administrative settings undermines trust in site management and could be leveraged as part of broader attack chains. Organizations relying on WordPress for public-facing websites, especially those in sectors like media, e-commerce, and government communications, may experience reputational damage or operational disruptions if attackers exploit this flaw. Given the medium severity and the requirement for authenticated access, the threat is moderate but should not be underestimated, particularly in environments with many users or weak account management practices.

European organizations should immediately audit user roles and permissions within WordPress to ensure that subscriber-level accounts are tightly controlled and monitored. Restrict plugin administrative access to trusted users only and consider temporarily disabling the Permalinks Cascade plugin if it is not essential. Implement multi-factor authentication (MFA) to reduce the risk of compromised credentials enabling exploitation. Monitor WordPress logs for unusual AJAX requests targeting the handleTPCAdminAjaxRequest function or changes to pinging and page exclusion settings. Since no official patch is available yet, organizations should engage with the plugin vendor or community for updates and consider applying custom authorization checks or temporary code fixes to enforce proper access control. Regularly update WordPress core and plugins to minimize exposure to similar vulnerabilities. Additionally, conduct security awareness training for users with elevated privileges to recognize and report suspicious activities.