The Permalinks Cascade WordPress Plugin Missing Authorization Vulnerability

Vulnerability

A missing authorization vulnerability has been identified in the Permalinks Cascade plugin for WordPress, affecting all versions through 2.2. The issue arises because the plugin's handleTPCAdminAjaxRequest function fails to properly verify user authorization for certain actions. This flaw allows authenticated attackers with subscriber-level access or higher to execute unauthorized administrative tasks, such as changing automatic pinging preferences and adjusting page exclusion settings.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in plugin settings, specifically regarding automatic pinging and page exclusions.

Added: Nov 18, 2025, 9:51 AM

Updated: Nov 18, 2025, 3:43 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.9

remediation

0.0

relevance

1.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.9

remediation

0.0

relevance

1.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

The Permalinks Cascade WordPress Plugin Missing Authorization Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating