The vulnerability identified as CVE-2025-13358 affects the CodeConfig Accessibility plugin for WordPress, specifically versions up to and including 1.0.0. The root cause is a missing authorization check (CWE-862) in the plugin's Settings::createPage() function. This function is invoked via the AJAX action ccpcaCreatePage, which is accessible to any authenticated user with Subscriber-level privileges or higher. Because the plugin does not verify whether the user has the appropriate capabilities to create pages, an attacker with minimal privileges can exploit this flaw to create arbitrary published pages on the affected WordPress site. This unauthorized page creation can be leveraged for content injection, phishing, misinformation, or defacement. The vulnerability has a CVSS 3.1 base score of 5.3, indicating medium severity. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), limited integrity impact (I:L), and no availability impact (A:N). No patches are currently linked, and no known exploits have been observed in the wild. The vulnerability affects all versions of the plugin up to 1.0.0, which is the only released version at this time. The issue was reserved in November 2025 and published in December 2025. The vulnerability is significant because WordPress is widely used globally, and plugins are common attack vectors. Attackers with low privileges can abuse this flaw to manipulate site content without detection or elevated permissions.

The primary impact of this vulnerability is unauthorized content creation on affected WordPress sites. Attackers with Subscriber-level access can create arbitrary published pages, potentially injecting malicious content, phishing pages, or misinformation. This can damage the site's reputation, mislead visitors, and facilitate further attacks such as credential harvesting or malware distribution. Although the vulnerability does not directly compromise confidentiality or availability, the integrity of the website content is compromised. For organizations relying on WordPress for their web presence, this can lead to brand damage, loss of user trust, and potential regulatory consequences if malicious content is served. The ease of exploitation (no privilege escalation needed beyond Subscriber) and network accessibility increase the risk, especially for sites with open user registrations or multiple contributors. Since no known exploits are currently in the wild, the risk is moderate but could escalate rapidly once exploit code becomes available.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates released by the CodeConfig Accessibility plugin developers once available. Until a patch is released, administrators should consider disabling or uninstalling the plugin if it is not essential. If the plugin must remain active, restrict access to the ccpcaCreatePage AJAX action by implementing custom capability checks or using security plugins that can limit AJAX endpoints to trusted roles only. Additionally, review and tighten user role assignments to minimize the number of users with Subscriber or higher privileges, especially on sites with open registrations. Implement monitoring and alerting for unusual page creation activity to detect exploitation attempts early. Regularly audit installed plugins for security issues and maintain a robust backup strategy to restore affected content if needed. Finally, consider employing a Web Application Firewall (WAF) to block suspicious AJAX requests targeting this vulnerability.