The WP Page Permalink Extension plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2025-14172. This vulnerability exists in all versions up to and including 1.5.4. The root cause is the absence of proper authorization checks in the function cwpp_trigger_flush_rewrite_rules, which is triggered via the AJAX action wp_ajax_cwpp_trigger_flush_rewrite_rules. Because this AJAX endpoint does not verify whether the requesting user has sufficient privileges, any authenticated user with at least Subscriber-level access can invoke this function. The function flushes the site's rewrite rules, which control how URLs are parsed and routed within WordPress. Improper or frequent flushing of rewrite rules can disrupt site routing, potentially causing broken links, misdirected URLs, or temporary site unavailability. While the vulnerability does not directly expose sensitive data or allow remote code execution, it compromises the integrity and availability of the website's URL structure. The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity. No public exploits have been reported yet, but the low privilege required to exploit and the potential impact on site operation make it a significant concern for site administrators using this plugin.

The primary impact of CVE-2025-14172 is on the integrity and availability of WordPress sites using the WP Page Permalink Extension plugin. An attacker with Subscriber-level access or higher can flush rewrite rules arbitrarily, which may cause URL routing issues, broken links, and potential downtime. This can degrade user experience, reduce site reliability, and potentially affect SEO rankings due to inconsistent URL behavior. Although no direct confidentiality breach occurs, the disruption can be leveraged as part of a broader attack chain, such as facilitating phishing or redirecting users to malicious content if combined with other vulnerabilities. Organizations relying on WordPress for critical web presence, e-commerce, or content delivery may face operational disruptions and reputational damage. The ease of exploitation by low-privileged users increases the risk, especially in environments where user roles are not tightly controlled or where subscriber accounts can be created with minimal verification.

To mitigate this vulnerability, site administrators should immediately restrict access to the AJAX action wp_ajax_cwpp_trigger_flush_rewrite_rules to only trusted, higher-privileged users such as administrators. This can be done by modifying the plugin code to include proper capability checks (e.g., current_user_can('manage_options')) before allowing the flush operation. Until an official patch is released by infosatech, manual code review and patching are recommended. Additionally, administrators should audit user roles and permissions to ensure that Subscriber-level accounts are not granted unnecessary access or created without proper vetting. Monitoring logs for unusual AJAX requests related to rewrite rule flushing can help detect exploitation attempts. Regular backups of site configurations and rewrite rules are advised to quickly restore normal operation if disruption occurs. Finally, keep the plugin updated and subscribe to vendor advisories for timely patch releases.