The vulnerability CVE-2025-12641 affects the Awesome Support WordPress HelpDesk & Support Plugin in all versions up to and including 6.3.6. The root cause is a missing authorization check in the 'wpas_do_mr_activate_user' function, which fails to verify if the user has the capability to modify other users' roles. Compounding this issue is a nonce reuse vulnerability: the plugin uses the same nonce namespace for both public registration and privileged actions, allowing nonces obtained from publicly accessible pages (such as registration or ticket submission) to be reused for privileged operations. An unauthenticated attacker can exploit this by accessing the public registration or ticket submission page to extract a valid nonce, then sending a request to the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter. This enables the attacker to demote administrator accounts to low-privilege roles, effectively stripping administrative rights without authentication or user interaction. The vulnerability impacts the integrity and availability of the system by allowing unauthorized privilege changes that could disrupt administrative functions or facilitate further attacks. The CVSS 3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity and availability. No public patches or known exploits are currently available, highlighting the need for proactive mitigation by affected users.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of WordPress sites using the Awesome Support plugin. Unauthorized demotion of administrators can lead to loss of administrative control, enabling attackers to disrupt support operations, modify or delete critical data, or facilitate further compromise by escalating privileges through other means. Organizations relying on this plugin for customer support or helpdesk functions may experience operational disruptions, reputational damage, and potential data loss. Since the exploit requires no authentication or user interaction and can be performed remotely over the network, the attack surface is broad. The impact is particularly critical for organizations with public-facing WordPress sites that use this plugin, including government agencies, healthcare providers, and enterprises in sectors with strict data protection regulations such as GDPR. Failure to address this vulnerability could also lead to compliance issues and legal liabilities in Europe.

European organizations should immediately assess their WordPress installations for the presence of the Awesome Support plugin and verify the version in use. Since no official patches are currently available, temporary mitigations include restricting access to the public registration and ticket submission pages to trusted users or IP addresses, thereby preventing attackers from obtaining valid nonces. Implementing Web Application Firewall (WAF) rules to detect and block requests containing the 'wpas-do=mr_activate_user' parameter or suspicious role modification attempts can reduce risk. Administrators should monitor user role changes closely and maintain regular backups of user data and site configurations. Additionally, organizations should consider disabling or replacing the plugin with alternative support solutions until a patched version is released. Once an official patch is available, prompt application is critical. Security teams should also audit logs for any signs of exploitation attempts and educate site administrators about the risks of privilege escalation vulnerabilities.