CVE-2025-14080

Frontend Post Submission Manager Lite <= 1.2.5 - Missing Authorization to Unauthenticated Arbitrary Post Modification

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.2.6
Patched in
1d
Time to patch

Description

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.5
PublishedDecember 20, 2025
Last updatedDecember 21, 2025

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-14080 (Missing Authorization to Arbitrary Post Modification) ## 1. Vulnerability Summary The **Frontend Post Submission Manager Lite** plugin (<= 1.2.5) is vulnerable to **Missing Authorization**. The AJAX handler `fpsml_form_process` is designed to allow gues…

Show full research plan

Exploitation Research Plan: CVE-2025-14080 (Missing Authorization to Arbitrary Post Modification)

1. Vulnerability Summary

The Frontend Post Submission Manager Lite plugin (<= 1.2.5) is vulnerable to Missing Authorization. The AJAX handler fpsml_form_process is designed to allow guest users to submit or edit posts via a frontend form. However, it fails to validate if the user is authorized to modify the specific post_id provided in the request. By supplying a post_id of an existing post (e.g., a published page or an admin's post), an unauthenticated attacker can overwrite its title, content, and metadata.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: fpsml_form_process
  • Vulnerable Hooks:
    • wp_ajax_fpsml_form_process (Authenticated)
    • wp_ajax_nopriv_fpsml_form_process (Unauthenticated)
  • Vulnerability Type: Insecure Direct Object Reference (IDOR) / Missing Authorization.
  • Preconditions: The plugin must be active. A valid nonce is typically required for the AJAX action.

3. Code Flow

  1. The plugin registers the AJAX action in the frontend class (likely includes/class-frontend-post-submission-manager-lite-frontend.php or similar).
  2. The handler function fpsml_form_process() is called when the action is triggered.
  3. The function retrieves the post_id from the $_POST array (or $_REQUEST).
  4. If post_id is present, the function prepares an array for wp_update_post().
  5. The function fails to verify if the current user (especially an unauthenticated one) is the original author of the post or an administrator.
  6. wp_update_post( $post_data ) is executed, updating the target post.

4. Nonce Acquisition Strategy

The plugin protects the submission form with a WordPress nonce. This nonce is localized for the frontend scripts.

  • Trigger Shortcode: The plugin uses the shortcode [fpsml-form] to render the submission form.
  • Localization Key: Based on standard plugin patterns, the script parameters are localized under the variable fpsml_script_params or fpsml_obj.
  • Extraction Method:
    1. Create a Page: Create a public page containing the shortcode.
      wp post create --post_type=page --post_title="Submit" --post_status=publish --post_content='[fpsml-form]'
      
    2. Navigate: Use the browser to visit the page.
    3. Extract: Use browser_eval to retrieve the nonce from the JavaScript object.
      • Variable Name: fpsml_script_params (inferred)
      • Nonce Key: nonce (inferred)
      • Command: browser_eval("fpsml_script_params.nonce")

5. Exploitation Strategy

  1. Target Selection: Identify a post to modify. By default, WordPress creates a post with ID 1 ("Hello world!").
  2. Nonce Retrieval: Follow the steps in Section 4 to obtain a valid nonce for the fpsml_form_process action.
  3. Construct Payload:
    • action: fpsml_form_process
    • fpsml_nonce: [EXTRACTED_NONCE] (The parameter name may also be nonce or _wpnonce)
    • post_id: 1 (The target)
    • post_title: Vulnerable Site
    • post_content: This post has been modified by an unauthenticated user.
    • post_author: 0 (To attempt author removal/modification)
  4. Send Request: Execute the attack using the http_request tool.

6. Test Data Setup

  1. Target Post: Ensure a post exists that is owned by the admin.
    wp post create --post_type=post --post_title="Original Admin Post" --post_content="Secure content." --post_status=publish --post_author=1
    
  2. Form Page: Create the page for nonce extraction as described in Section 4.

7. Expected Results

  • The AJAX response should return a success status (likely a JSON object like {"success":true}).
  • The post with the target ID will have its title and content updated.
  • The post_author may be changed or set to 0.

8. Verification Steps

  1. Check Post Content:
    wp post get [TARGET_ID] --field=post_title
    wp post get [TARGET_ID] --field=post_content
    
  2. Check Author:
    wp post get [TARGET_ID] --field=post_author
    

9. Alternative Approaches

  • Parameter Guessing: If post_id is not the parameter name, try edit_id, pid, or post_ID.
  • Nonce Bypass: Check if the nonce is actually verified. If wp_verify_nonce is missing or the return value is not checked, the nonce parameter can be omitted or set to any value.
  • Metadata Modification: The plugin may also process custom meta fields in the same handler. Look for update_post_meta calls in fpsml_form_process to escalate the impact (e.g., changing SEO settings or access controls).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Frontend Post Submission Manager Lite plugin for WordPress (up to 1.2.5) is vulnerable to missing authorization in its AJAX post update functionality. Unauthenticated attackers can modify arbitrary posts by providing a target post_id and new content via the guest posting form handler.

Security Fix

--- a/includes/class-frontend-post-submission-manager-lite-frontend.php
+++ b/includes/class-frontend-post-submission-manager-lite-frontend.php
@@ -120,6 +120,10 @@
 		$post_id = isset( $_POST['post_id'] ) ? intval( $_POST['post_id'] ) : 0;
 
+		if ( $post_id > 0 && ! current_user_can( 'edit_post', $post_id ) ) {
+			wp_send_json_error( array( 'message' => __( 'You are not allowed to edit this post.', 'frontend-post-submission-manager-lite' ) ) );
+		}
+
 		$post_data = array(
 			'ID'           => $post_id,
 			'post_title'   => sanitize_text_field( $_POST['post_title'] ),

Exploit Outline

1. Identify a post ID to target and visit a page containing the '[fpsml-form]' shortcode. 2. Extract the AJAX nonce from the 'fpsml_script_params' JavaScript object localized in the page source. 3. Send a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'fpsml_form_process'. 4. Include the target 'post_id', the extracted 'fpsml_nonce', and the desired 'post_title' and 'post_content' values. 5. The server will update the target post content without verifying if the unauthenticated user has the necessary permissions to edit it.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.