PatchSiren cyber security CVE debrief
CVE-2026-12525 Redux Framework CVE debrief
The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields. This allows users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile. This issue affects sites where the Redux Framework WordPress plugin's user-profile feature is enabled. Site administrators should verify their plugin version and update to 4.5.13 or later to mitigate this vulnerability.
- Vendor
- Redux Framework
- Product
- Redux Framework WordPress plugin
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Site administrators using the Redux Framework WordPress plugin before version 4.5.13, especially those with user-profile feature enabled, should verify their plugin version and update to 4.5.13 or later to mitigate this vulnerability. They should also review user-profile configurations and restrict user roles and capabilities as necessary.
Technical summary
The Redux Framework WordPress plugin before 4.5.13 is vulnerable to privilege escalation due to unrestricted writing of user meta keys. This allows users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile. The vulnerability exists when the user-profile feature of the plugin is enabled, posing a significant risk to site administrators.
Defensive priority
High
Recommended defensive actions
- Update Redux Framework WordPress plugin to version 4.5.13 or later
- Verify that the user-profile feature is not enabled if not needed
- Monitor user profile updates for suspicious activity
- Restrict user roles and capabilities as necessary
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence from WPScan indicates that the Redux Framework WordPress plugin before 4.5.13 is vulnerable to privilege escalation. The CVE record and NVD detail provide additional context. WPScan's research highlights the importance of restricting user meta keys to prevent such attacks. Further review of user-profile feature configurations is recommended to ensure secure settings.
Official resources
-
CVE-2026-12525 CVE record
CVE.org
-
CVE-2026-12525 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T07:16:46.987Z and has not been modified since then.