CVE-2025-12158

Critical

Published: 04 November 2025

Published

04 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12158 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires systems to enforce approved authorizations for access, directly mitigating the missing capability check that enables unauthenticated privilege escalation in the suc_submit_capabilities() function.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely remediation of identified flaws, such as patching or deactivating the vulnerable Simple User Capabilities plugin to prevent exploitation.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege for users and processes, limiting the scope and impact of unauthorized role elevations to administrator even if access enforcement fails.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability enables initial access (T1190) and privilege escalation to administrator (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the…

role of any user account to administrator.

Deeper analysisAI

CVE-2025-12158, published on 2025-11-04, is a privilege escalation vulnerability in the Simple User Capabilities plugin for WordPress. It arises from a missing capability check in the suc_submit_capabilities() function, affecting all versions up to and including 1.0. The issue is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-862 (Missing Authorization).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. Successful exploitation allows them to elevate the role of any user account to administrator, potentially granting full control over the WordPress site and leading to high impacts on confidentiality, integrity, and availability.

Advisories and references, including the Wordfence threat intelligence page, the official WordPress plugin page, and the plugin's source code on SVN, provide further details on the vulnerability. Security practitioners should review these for any patch availability or recommended actions, such as plugin deactivation.