Primary

Context

WordPress PublishPress Future Plugin Schedule Post Changes Unauthorized Data Modification Vulnerability

Vulnerability

A vulnerability exists in the WordPress PublishPress Future plugin, specifically in the Schedule Post Changes feature, versions through 4.9.1. The issue arises from a missing authorization check in the 'saveFutureActionData' function, allowing authenticated attackers with author-level access or higher to unauthorizedly modify the status of posts and pages. This exploitation can be carried out through the REST API endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized modification of post and page statuses, potentially leading to unauthorized content management actions such as unpublishing, deleting, or changing categories of posts and pages.

Remediation

Users are advised to update the PublishPress Future plugin to version 4.9.2 or later.

Added: Nov 21, 2025, 9:18 AM

Updated: Nov 21, 2025, 3:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress PublishPress Future Plugin Schedule Post Changes Unauthorized Data Modification Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating