CVE-2025-13149 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WordPress plugin 'Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories' in all versions up to and including 4.9.1. The root cause is the absence of an authorization check in the 'saveFutureActionData' function, which is accessible via the WordPress REST API. This flaw allows any authenticated user with author-level permissions or higher to perform unauthorized modifications on arbitrary posts and pages. Specifically, attackers can change post statuses, unpublish content, delete or trash posts, and alter categories without proper authorization. The vulnerability requires authentication but no additional user interaction, and the attack surface includes any WordPress installation running the affected plugin version. The CVSS 3.1 base score is 4.3 (medium), with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network exploitability with low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No public exploits have been reported yet, but the vulnerability poses a risk of unauthorized content manipulation, potentially undermining website integrity and trust. The vulnerability was published on November 21, 2025, and no patches or fixes are currently linked, so mitigation relies on access control and monitoring.

For European organizations, this vulnerability could lead to unauthorized modification of website content, including unpublishing or deleting critical posts and pages, or changing their categories. This can disrupt business communications, damage brand reputation, and potentially mislead customers or stakeholders. Since the vulnerability requires author-level access, insider threats or compromised author accounts pose a significant risk. Organizations relying on WordPress sites with the affected PublishPress plugin are vulnerable to content integrity attacks, which could be leveraged for misinformation, defacement, or operational disruption. The impact is primarily on data integrity and website reliability rather than confidentiality or availability. Given the widespread use of WordPress in Europe, especially among SMEs and content-driven organizations, the threat could affect a broad range of sectors including media, e-commerce, education, and government. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks.

1. Immediately audit WordPress sites to identify installations of the 'Schedule Post Changes With PublishPress Future' plugin and verify the version. 2. If possible, upgrade to a patched version once available; in the absence of a patch, consider disabling or uninstalling the plugin to eliminate the attack surface. 3. Restrict author-level access strictly to trusted users and implement strong authentication mechanisms such as MFA to reduce risk of account compromise. 4. Monitor REST API access logs for unusual activity, especially calls to 'saveFutureActionData' or related endpoints. 5. Implement web application firewalls (WAFs) with custom rules to detect and block unauthorized REST API requests targeting this plugin's functions. 6. Regularly review user roles and permissions to ensure least privilege principles are enforced. 7. Educate content authors and administrators about the risk and signs of unauthorized content changes. 8. Maintain regular backups of website content to enable quick restoration in case of malicious modifications.