PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12525 Redux Framework CVE debrief

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields. This allows users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile. This issue affects sites where the Redux Framework WordPress plugin's user-profile feature is enabled. Site administrators should verify their plugin version and update to 4.5.13 or later to mitigate this vulnerability.

Vendor
Redux Framework
Product
Redux Framework WordPress plugin
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Site administrators using the Redux Framework WordPress plugin before version 4.5.13, especially those with user-profile feature enabled, should verify their plugin version and update to 4.5.13 or later to mitigate this vulnerability. They should also review user-profile configurations and restrict user roles and capabilities as necessary.

Technical summary

The Redux Framework WordPress plugin before 4.5.13 is vulnerable to privilege escalation due to unrestricted writing of user meta keys. This allows users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile. The vulnerability exists when the user-profile feature of the plugin is enabled, posing a significant risk to site administrators.

Defensive priority

High

Recommended defensive actions

  • Update Redux Framework WordPress plugin to version 4.5.13 or later
  • Verify that the user-profile feature is not enabled if not needed
  • Monitor user profile updates for suspicious activity
  • Restrict user roles and capabilities as necessary
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

Evidence from WPScan indicates that the Redux Framework WordPress plugin before 4.5.13 is vulnerable to privilege escalation. The CVE record and NVD detail provide additional context. WPScan's research highlights the importance of restricting user meta keys to prevent such attacks. Further review of user-profile feature configurations is recommended to ensure secure settings.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T07:16:46.987Z and has not been modified since then.