The Post Type Switcher plugin for WordPress, developed by johnjamesjacoby, suffers from an authorization bypass vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key). This vulnerability exists in all versions up to and including 4.0.0 due to insufficient validation of a user-controlled key parameter. Authenticated users with Author-level permissions or higher can exploit this flaw to modify the post type of arbitrary posts and pages, including those created by administrators, which they do not own. This is an example of an insecure direct object reference (IDOR) where the application fails to properly verify that the user has the right to perform the requested action on the targeted resource. The impact includes potential site disruption, broken navigation structures, and adverse effects on SEO rankings, as changing post types can alter how content is displayed or indexed. The CVSS v3.1 score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges at the Author level, no user interaction, unchanged confidentiality, limited integrity impact, and limited availability impact. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability is particularly relevant for WordPress sites that rely on this plugin to manage content types, especially those with multiple authors or editors.

For European organizations, this vulnerability can lead to unauthorized modification of website content structure by users with Author-level access, potentially including internal staff or compromised accounts. This can disrupt website functionality, degrade user experience, and harm search engine rankings due to altered or broken navigation and content misclassification. Organizations relying on WordPress for corporate websites, e-commerce, or content delivery may face reputational damage and operational disruptions. While the vulnerability does not directly expose sensitive data, the integrity and availability of web content are at risk. Attackers could leverage this to deface sites, cause confusion, or indirectly facilitate further attacks by breaking site navigation or SEO. Given the widespread use of WordPress across Europe, especially in small and medium enterprises and public sector websites, the impact could be significant if exploited at scale.

European organizations should immediately verify if the Post Type Switcher plugin is installed and determine the version in use. Since no official patch links are provided, organizations should monitor the vendor’s site and trusted security advisories for updates or patches. In the interim, restrict Author-level permissions to trusted users only and audit existing user roles to minimize risk. Implement web application firewalls (WAFs) with rules to detect and block suspicious requests attempting to manipulate post types. Consider disabling or removing the plugin if it is not essential. Additionally, enforce strong authentication and monitor logs for unusual post type modification activities. Regular backups of website content and configurations will aid recovery if exploitation occurs. Finally, educate content managers and administrators about the risks of privilege misuse and the importance of timely updates.