CVE-2025-12639
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/11/2025
Last modified:
18/11/2025
Description
The wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX endpoint. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive information including user emails, usernames, roles, capabilities, and WooCommerce data such as products and payment methods.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/catalog-mode-pricing-enquiry-forms-promotions/tags/1.2.1/framework/reon/core/class.reon.core.ajax.php#L12
- https://plugins.trac.wordpress.org/browser/catalog-mode-pricing-enquiry-forms-promotions/tags/1.2.1/framework/reon/core/class.reon.core.ajax.php#L165
- https://plugins.trac.wordpress.org/browser/catalog-mode-pricing-enquiry-forms-promotions/tags/1.2.1/framework/reon/core/class.reon.core.ajax.php#L29
- https://plugins.trac.wordpress.org/changeset/3392651/catalog-mode-pricing-enquiry-forms-promotions/trunk?contextall=1&old=3390779&old_path=/catalog-mode-pricing-enquiry-forms-promotions/trunk#file11
- https://www.wordfence.com/threat-intel/vulnerabilities/id/979001c4-45dd-4168-8749-c8eebe237b60?source=cve