CVE-2025-13358 identifies a missing authorization vulnerability (CWE-862) in the CodeConfig Accessibility plugin for WordPress, specifically in versions up to and including 1.0.0. The vulnerability stems from the plugin's failure to perform capability checks within the Settings::createPage() function. This function is invoked via the AJAX action ccpcaCreatePage, which can be triggered by any authenticated user with Subscriber-level access or higher. Because the plugin does not verify whether the user has appropriate permissions to create pages, attackers can exploit this flaw to create arbitrary pages that are immediately published on the WordPress site. The vulnerability affects all versions of the plugin up to 1.0.0, with no patch currently available. The CVSS 3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (remote), requires no privileges beyond authentication, no user interaction, and impacts integrity but not confidentiality or availability. The lack of authorization checks means that even low-privileged users can manipulate site content, which could be leveraged for malicious purposes such as injecting phishing pages, defacement, or SEO spam. Although no known exploits have been reported in the wild, the vulnerability presents a significant risk to WordPress sites using this plugin, especially those with multiple users or open registration. The issue is classified under CWE-862, emphasizing missing authorization as the root cause.

For European organizations, the primary impact of this vulnerability is the potential for unauthorized content injection on WordPress sites using the CodeConfig Accessibility plugin. This can undermine the integrity of corporate websites, leading to reputational damage, loss of customer trust, and potential legal liabilities if malicious content such as phishing pages or misinformation is published. While confidentiality and availability are not directly affected, the ability to publish arbitrary pages can facilitate social engineering attacks or SEO poisoning campaigns targeting European users. Organizations with public-facing WordPress sites, especially those in sectors like e-commerce, finance, healthcare, and government, are at higher risk due to the potential for exploitation to harm customers or citizens. The vulnerability could also be exploited to bypass content moderation controls, complicating compliance with EU regulations such as the Digital Services Act. Given that exploitation requires only authenticated Subscriber-level access, attackers could leverage compromised or fraudulent user accounts to exploit this flaw, increasing the threat surface. The absence of known exploits in the wild suggests limited current impact but also highlights the importance of proactive mitigation to prevent future attacks.

European organizations should implement the following specific mitigation measures: 1) Immediately audit WordPress installations to identify the presence of the CodeConfig Accessibility plugin and verify its version. 2) Restrict user registration and limit Subscriber-level accounts to trusted users only, reducing the risk of attacker access. 3) Temporarily disable or uninstall the plugin until an official patch or update is released by the vendor. 4) Monitor WordPress site logs and audit trails for unusual page creation activities, especially via AJAX calls to ccpcaCreatePage. 5) Implement Web Application Firewall (WAF) rules to detect and block unauthorized AJAX requests targeting the vulnerable function. 6) Educate site administrators and content managers about the risk and signs of exploitation. 7) Once a patch is available, promptly apply it and verify that capability checks are enforced in the createPage function. 8) Consider deploying additional WordPress security plugins that enforce strict role-based access controls and monitor content changes. 9) Regularly review user roles and permissions to ensure minimal privilege principles are enforced. 10) For organizations with multiple WordPress sites, centralize vulnerability management and incident response to quickly address emerging threats related to this vulnerability.