CVE-2025-12641 in Awesome Support Plugin
Summary
by MITRE • 01/16/2026
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify other users' roles, combined with a nonce reuse vulnerability where public registration nonces are valid for privileged actions because all actions share the same nonce namespace. This makes it possible for unauthenticated attackers to demote administrators to low-privilege roles via the 'wpas-do=mr_activate_user' action with a user-controlled 'user_id' parameter, granted they can access the publicly available registration/submit ticket page to extract a valid nonce.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/17/2026
The vulnerability identified as CVE-2025-12641 affects the Awesome Support WordPress plugin, specifically targeting versions up to and including 6.3.6. This authorization bypass vulnerability stems from inadequate capability checks within the plugin's core functionality, creating a significant security risk for WordPress installations that rely on this support ticketing system. The flaw resides in the wpas_do_mr_activate_user function which fails to properly validate user permissions before executing role modification operations, effectively allowing unauthorized entities to manipulate user privileges within the WordPress environment.
The technical implementation of this vulnerability demonstrates a critical flaw in the plugin's nonce handling mechanism, where a single nonce namespace is used across multiple privileged actions including public registration and administrative user modifications. This nonce reuse vulnerability creates a pathway for attackers to exploit the system's trust model by leveraging publicly accessible registration pages to extract valid nonces that can then be used to perform privileged actions. The combination of missing capability checks and nonce reuse creates a perfect storm where unauthenticated attackers can manipulate user roles without proper authentication.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it allows attackers to demote administrators to lower privilege roles, fundamentally undermining the security posture of WordPress installations. This capability can be exploited to gain persistent access to administrative functions, potentially leading to complete system compromise. The vulnerability affects the core user management functionality of the plugin, making it particularly dangerous as it can be leveraged to disrupt legitimate user access patterns and create backdoors for continued unauthorized access.
From a cybersecurity perspective, this vulnerability maps directly to CWE-863, which addresses "Incorrect Authorization" in software systems, and aligns with ATT&CK technique T1078.004 for Valid Accounts and T1548.001 for Abuse of Functionality. The attack vector requires minimal prerequisites as attackers only need access to the publicly available registration page to extract valid nonces, making this vulnerability particularly concerning for widely deployed WordPress plugins. Organizations should immediately implement mitigations including plugin updates to versions that address the capability check gaps and nonce handling issues.
Security remediation for this vulnerability requires immediate patching of the Awesome Support plugin to versions that properly implement capability checks before user role modifications and separate nonce namespaces for different action types. The fix should ensure that any user attempting to modify another user's role must possess the appropriate administrative permissions and that nonces used for privileged actions are properly scoped and time-limited. Additionally, administrators should conduct security audits to verify that no unauthorized role modifications have occurred and consider implementing additional monitoring for suspicious user privilege changes within their WordPress installations.