CVE-2025-12524 MEDIUM

CVE-2025-12524: Post Type Switcher <= 4.0.0 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change

Vendor Johnjamesjacoby
Product Post Type Switcher
Weakness CWE-639 · IDOR
Published November 18, 2025
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact.

Explanation of Vulnerability in Simple Terms

02Summary

Post Type Switcher versions 4.0.0 and earlier contain an authorization flaw that allows authenticated users to modify post data without proper permission checks. An attacker with low-level site access can alter post types or metadata, potentially affecting site integrity. Update to a version newer than 4.0.0 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Modify post types and metadata on the site without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can alter post content and structure, compromising editorial control and data integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the site.

Key dates

06Disclosure timeline

November 18, 2025 CVE published
April 8, 2026 Record updated