CVE-2025-12641 is a medium-severity authorization bypass vulnerability identified in the Awesome Support – WordPress HelpDesk & Support Plugin, affecting all versions up to and including 6.3.6. The root cause is the absence of proper capability checks in the 'wpas_do_mr_activate_user' function, which fails to verify if the user has permission to modify other users' roles. Additionally, a nonce reuse vulnerability exists because all actions share the same nonce namespace, and public registration nonces are valid for privileged actions. This combination allows unauthenticated attackers to exploit the 'wpas-do=mr_activate_user' action by supplying a crafted 'user_id' parameter to demote administrators to low-privilege roles. Attackers only need to access the publicly available registration or submit ticket page to extract a valid nonce, making exploitation feasible without authentication or user interaction. The vulnerability impacts the integrity and availability of the system by enabling unauthorized role changes that can disrupt administrative control. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin. The CVSS v3.1 score is 6.5 (medium), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on integrity and availability but not confidentiality.

The primary impact of CVE-2025-12641 is the unauthorized demotion of administrator accounts to lower-privilege roles, which undermines the integrity of user role assignments and can lead to loss of administrative control over the WordPress site. This can result in disruption of site management, inability to perform critical administrative tasks, and potentially open the door for further exploitation by malicious actors who gain foothold through reduced privileges. The availability of administrative functions may also be affected if administrators are demoted and cannot access necessary controls. Since the vulnerability can be exploited remotely without authentication or user interaction, it poses a significant risk to any organization using the affected plugin, especially those relying on it for customer support and helpdesk operations. The compromise of administrative roles can lead to broader security incidents, including data loss, defacement, or further privilege escalation through chained vulnerabilities.

To mitigate CVE-2025-12641, organizations should immediately update the Awesome Support plugin to a patched version once available. Until a patch is released, administrators should consider disabling or restricting access to the public registration and ticket submission pages to prevent attackers from obtaining valid nonces. Implementing Web Application Firewall (WAF) rules to detect and block requests containing the 'wpas-do=mr_activate_user' action with suspicious parameters can reduce exploitation risk. Additionally, monitoring user role changes and setting up alerts for unexpected privilege modifications can help detect exploitation attempts early. Restricting plugin usage to trusted users and limiting plugin permissions can also reduce attack surface. Regularly auditing WordPress user roles and permissions, and enforcing strong administrative account security practices, including multi-factor authentication, will further protect against unauthorized access resulting from this vulnerability.