What the vulnerability does
01Description
The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact.
Explanation of Vulnerability in Simple Terms
02Summary
Post Type Switcher versions 4.0.0 and earlier contain an authorization flaw that allows authenticated users to modify post data without proper permission checks. An attacker with low-level site access can alter post types or metadata, potentially affecting site integrity. Update to a version newer than 4.0.0 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Modify post types and metadata on the site without proper authorization.
Potential impact on your site
04Site Impact
Unauthorized users can alter post content and structure, compromising editorial control and data integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
November 18, 2025
CVE published
April 8, 2026
Record updated