Medium severity5.4NVD Advisory· Published Nov 11, 2025· Updated Apr 15, 2026

CVE-2025-12126

Description

The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them.

Affected products

WordPress/The Total Book Projectreferences
Package: https://wordpress.org/plugins/the-total-book-project

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvd
wordpress.org/plugins/the-total-book-project/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/e1b473fd-2444-4a54-b558-4656634a6903nvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000