Unauthorized Page Creation in CodeConfig Accessibility Plugin for WordPress
CVE-2025-13358

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Codeconfig Accessibility
Vendor: CVE Published:; 6 December 2025

What is CVE-2025-13358?

The CodeConfig Accessibility plugin for WordPress, up to version 1.0.0, allows authenticated users with Subscriber-level access or higher to exploit a lack of authorization checks. The vulnerability arises in the Settings::createPage() function, which does not enforce capability checks, enabling attackers to create arbitrary published pages through the ccpcaCreatePage AJAX action. This flaw can lead to unauthorized content creation on a WordPress site, potentially compromising the integrity and security of the web application.

Affected Version(s)

CodeConfig Accessibility * <= 1.0.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/codeconfig-acc...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2025
Vulnerability Reserved
Nov 18, 2025

Credit

Athiwat Tiprasaharn

JSON