CVE-2025-13358 identifies a missing authorization vulnerability (CWE-862) in the CodeConfig Accessibility plugin for WordPress, specifically in the Settings::createPage() function. The plugin fails to perform capability checks before allowing the creation of new pages via the `ccpcaCreatePage` AJAX action. As a result, any authenticated user with at least Subscriber-level privileges can exploit this flaw to create arbitrary published pages on the affected WordPress site. This bypasses intended access controls and allows unauthorized content injection. The vulnerability affects all versions up to and including 1.0.0 of the plugin. Since WordPress roles such as Subscriber are typically assigned to minimally privileged users, this vulnerability significantly lowers the bar for exploitation. The attack vector is network-based and does not require additional user interaction beyond authentication. The vulnerability impacts the integrity of the website content but does not affect confidentiality or availability. No patches or fixes have been published at the time of disclosure, and no known exploits are currently in the wild. The CVSS 3.1 base score is 5.3, indicating medium severity, with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N reflecting network attack vector, low attack complexity, no privileges required beyond authentication, no user interaction, unchanged scope, no confidentiality or availability impact, and limited integrity impact.

For European organizations, this vulnerability poses a risk primarily to the integrity of WordPress-based websites that utilize the CodeConfig Accessibility plugin. Unauthorized page creation can be exploited to inject misleading or malicious content, potentially damaging brand reputation, misleading customers, or facilitating social engineering and phishing campaigns. Although the vulnerability does not directly compromise sensitive data or site availability, the ability to publish arbitrary content undermines trust in the affected websites. Organizations in sectors with high regulatory scrutiny around accessibility and content integrity, such as government, healthcare, and finance, may face compliance risks if unauthorized content is published. Additionally, attackers could leverage this vulnerability as a foothold for further attacks by embedding malicious scripts or links within created pages. The medium severity reflects the limited scope of impact but does not diminish the importance of timely remediation, especially for public-facing sites with broad user bases.

To mitigate CVE-2025-13358, organizations should immediately assess whether the CodeConfig Accessibility plugin is installed and active on their WordPress sites. If so, they should upgrade to a patched version once available or apply manual code fixes to enforce proper capability checks in the `Settings::createPage()` function, ensuring only authorized roles (e.g., Administrator or Editor) can create pages. As an interim measure, restrict plugin usage to trusted users by limiting Subscriber-level accounts or disabling the plugin if not essential. Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting the `ccpcaCreatePage` action. Regularly audit user roles and permissions to minimize the number of accounts with elevated privileges. Monitor website content for unauthorized page creation or unexpected changes. Additionally, educate site administrators about the risks of installing plugins without thorough security reviews and encourage timely updates. Employing security plugins that monitor for unauthorized content changes can also help detect exploitation attempts early.