Insecure Direct Object Reference in The Total Book Project Plugin for WordPress
CVE-2025-12126

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: The Total Book Project
Vendor: CVE Published:; 11 November 2025

What is CVE-2025-12126?

The Total Book Project plugin for WordPress exposes a vulnerability that allows authenticated users, with Contributor-level access and above, to manipulate content they do not own. This issue arises from inadequate validation of user-controlled keys, enabling attackers to move, delete, or create chapters within books beyond their permission level. Proper access control measures are essential to safeguard user data and maintain the integrity of the platform.

Affected Version(s)

The Total Book Project * <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/the-total-book-project/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 11, 2025
Vulnerability Reserved
Oct 23, 2025

Credit

Athiwat Tiprasaharn

JSON