CVE-2025-12579

Vulnerability

Overview The Reuters Direct plugin for WordPress, up to version 3.0.0, contains a missing capability check on the 'logoff' action. This vulnerability allows unauthorized modification of the plugin's settings, as the action does not verify user permissions before execution [1].

Exploitation

Details An unauthenticated attacker can exploit this by sending a crafted request to the 'logoff' action endpoint without any authentication. No special privileges or network position are required, making it easily accessible to any visitor of a WordPress site using the vulnerable plugin [1].

Impact

Successful exploitation resets the plugin's settings to default values, potentially disrupting news feeds or configured options. This could lead to a loss of data integrity and minor service disruption, though it does not compromise the core WordPress installation or other plugins [1].

Mitigation

Status The plugin has been closed as of November 25, 2025, due to this security issue and is no longer available for download [1]. Users are advised to remove the plugin entirely from their WordPress installations to eliminate the risk. No patch is available for existing versions.