Medium severity4.3OSV Advisory· Published Nov 21, 2025· Updated Apr 15, 2026
CVE-2025-13149
CVE-2025-13149
Description
The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the "saveFutureActionData" function in all versions up to, and including, 4.9.1. This makes it possible for authenticated attackers, with author level access and above, to change the status of arbitrary posts and pages via the REST API endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
32.7.4, 3.0.5, 3.0.6, …+ 1 more
- (no CPE)range: 2.7.4, 3.0.5, 3.0.6, …
- (no CPE)range: <=4.9.1
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.