The Post Type Switcher plugin for WordPress, developed by johnjamesjacoby, suffers from an authorization bypass vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key). This vulnerability exists in all versions up to and including 4.0.0. The root cause is an Insecure Direct Object Reference (IDOR) due to insufficient validation of a user-supplied key parameter that controls which post type is assigned to a post. Authenticated users with Author-level privileges or higher can exploit this flaw to change the post type of arbitrary posts and pages, including those owned by administrators. This unauthorized modification can disrupt site structure by moving content between post types, potentially breaking navigation menus, altering content visibility, and harming SEO rankings. The vulnerability requires no user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 5.4 (medium severity), reflecting low complexity and no confidentiality impact but moderate integrity and availability impact. No patches or mitigations have been officially released as of the publication date (November 18, 2025), and no active exploits have been reported. The vulnerability highlights the importance of proper authorization checks on user-controlled inputs in WordPress plugins, especially those that modify content metadata.

This vulnerability allows attackers with Author-level access to manipulate post types of content they do not own, including administrator-created posts. The impact includes potential site disruption through altered content organization, broken navigation menus, and degraded user experience. SEO can be negatively affected if important pages are changed to less visible post types or removed from indexing. While confidentiality is not compromised, the integrity and availability of website content are at risk. For organizations relying on WordPress for content management, this can lead to reputational damage, loss of traffic, and operational challenges in restoring correct content structure. Since the exploit requires authenticated access at Author level or above, the risk is higher in environments where user permissions are broadly assigned or compromised. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known.

Organizations should immediately audit and restrict Author-level and higher privileges to trusted users only, minimizing the number of accounts that can exploit this vulnerability. Implement strict role-based access controls and monitor for unusual post type changes in logs. Until an official patch is released, consider disabling or removing the Post Type Switcher plugin if it is not essential. If removal is not feasible, apply web application firewall (WAF) rules to detect and block suspicious requests attempting to modify post types via user-controlled keys. Regularly update WordPress and plugins to the latest versions once patches are available. Additionally, conduct security reviews of other plugins for similar authorization bypass issues. Employ monitoring tools to detect unexpected content structure changes and alert administrators promptly. Educate content authors and administrators about the risks of privilege misuse and enforce strong authentication mechanisms to reduce the risk of account compromise.