Back to overview

CVE-2026-12525

Description
The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile, on sites where the Redux Framework WordPress plugin before 4.5.13's user-profile (Users extension) feature is enabled.

Metadata

CVE ID
CVE-2026-12525
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-17 13:40 UTC
Published
2026-07-16 06:00 UTC
Last updated
2026-07-16 06:00 UTC
Vendor / Product
Unknown / Redux Framework
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Unknown Redux Framework 0 < 4.5.13
Weakness (CWE)
CWESourceDescription
cna CWE-269 Improper Privilege Management
Back to overview