Privilege Escalation Vulnerability in Redux Framework Plugin for WordPress
CVE-2026-12525
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 16 July 2026
Badges
What is CVE-2026-12525?
The Redux Framework plugin for WordPress prior to version 4.5.13 contains a vulnerability that allows unauthorized users with Subscriber roles to write arbitrary user meta keys when saving custom profile fields. This flaw can lead to privilege escalation, enabling these users to gain Administrator access by injecting crafted values during profile updates. This issue arises on sites where the user-profile feature of the Redux Framework plugin is active, highlighting the need for prompt updates and security measures to protect WordPress environments.
Affected Version(s)
Redux Framework 0 < 4.5.13
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.