CVE-2025-12641

The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L36
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L66
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-user.php#L1686
https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/themes/default/registration.php#L183
https://plugins.trac.wordpress.org/changeset/3435609/awesome-support/trunk/includes/functions-user.php?contextall=1
https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a8e4ca-c16b-4e9d-8ad2-5a671fdbc49a?source=cve

Configurations

No configuration.

History

No history.

Information

Published : 2026-01-16 05:16

Updated : 2026-01-16 15:55

NVD link : CVE-2025-12641

Mitre link : CVE-2025-12641

CVE.ORG link : CVE-2025-12641

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

{"id": "CVE-2025-12641", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-01-16T05:16:04.500", "references": [{"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L36", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-actions.php#L66", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/includes/functions-user.php#L1686", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.5/themes/default/registration.php#L183", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3435609/awesome-support/trunk/includes/functions-user.php?contextall=1", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a8e4ca-c16b-4e9d-8ad2-5a671fdbc49a?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce."}], "lastModified": "2026-01-16T15:55:12.257", "sourceIdentifier": "security@wordfence.com"}