PatchSiren

Redux Framework CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

Review Redux Framework CVE published 2026-07-16

CVE-2026-12525

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields. This allows users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile. This issue affects sites where the Redux Framework WordPress plugin's user-profile feature is enabled. Sit [truncated]