CVE-2025-13149 is a vulnerability identified in the WordPress plugin 'Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories,' affecting all versions up to and including 4.9.1. The root cause is a missing authorization check in the 'saveFutureActionData' function, which is accessible via the WordPress REST API. This flaw allows any authenticated user with author-level privileges or higher to bypass intended permission restrictions and modify the status and attributes of arbitrary posts and pages. Actions that can be performed include unpublishing content, deleting posts, trashing items, changing post statuses, and altering categories. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the plugin fails to verify whether the user has the appropriate rights before executing sensitive operations. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based (remote), requires low attack complexity, and privileges at the author level, but does not affect confidentiality or availability. No user interaction is required, and the scope remains unchanged as the impact is limited to the affected plugin's functionality. No public exploits have been reported yet, but the vulnerability poses a risk to the integrity of website content managed through this plugin. The vulnerability was published on November 21, 2025, and no official patches have been linked yet, emphasizing the need for immediate attention from site administrators.

The primary impact of CVE-2025-13149 is on the integrity of WordPress site content managed via the affected plugin. Attackers with author-level access can manipulate posts and pages by unpublishing, deleting, trashing, or changing categories without proper authorization, potentially disrupting content workflows and damaging the site's credibility. While confidentiality and availability are not directly affected, unauthorized content changes can lead to misinformation, loss of important content, or reputational harm. For organizations relying on WordPress for publishing, especially those with multiple authors or contributors, this vulnerability could be exploited by malicious insiders or compromised author accounts to alter or remove critical content. The ease of exploitation is moderate since it requires authenticated access at author level or higher, which may limit exposure but still represents a significant risk in environments with many contributors or weak access controls. The vulnerability could also be leveraged as part of a broader attack chain to facilitate social engineering or phishing by manipulating published content.

To mitigate CVE-2025-13149, organizations should first verify if they are using the affected plugin version (up to 4.9.1) and upgrade to a patched version as soon as it becomes available. In the absence of an official patch, administrators should restrict author-level access to trusted users only, minimizing the risk of exploitation by limiting the number of users with such privileges. Implement strict user role auditing and monitoring to detect unusual post status changes or deletions. Additionally, consider disabling or restricting REST API access for author-level users if feasible, using plugins or custom code to enforce authorization checks on the 'saveFutureActionData' endpoint. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious REST API requests targeting this function. Regularly back up website content to enable recovery from unauthorized changes. Finally, monitor security advisories from PublishPress and WordPress communities for updates and patches addressing this vulnerability.