Authorization Bypass in Awesome Support Plugin for WordPress
CVE-2025-12641

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Awesome Support – WordPress Helpdesk & Support Plugin
Vendor
CVE Published:
16 January 2026

What is CVE-2025-12641?

The Awesome Support plugin for WordPress is vulnerable to an authorization bypass due to inadequate capability checks in all versions up to and including 6.3.6. This vulnerability arises from the 'wpas_do_mr_activate_user' function's failure to verify user permissions for modifying other users' roles. Furthermore, a nonce reuse issue permits unauthenticated users to exploit publicly accessible nonces for critical actions. By using the 'wpas-do=mr_activate_user' action paired with a user-controlled 'user_id' parameter, attackers can demote administrators to lower privilege levels if they can access the ticket submission page to capture a valid nonce.

Affected Version(s)

Awesome Support – WordPress HelpDesk & Support Plugin * <= 6.3.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/awesome-suppor...
https://plugins.trac.wordpress.org/browser/awesome-suppor...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Angus Girvan
JSON
.