cleantalk
Vulnerabilities and Security Researches

Post Type Switcher, CVE-2025-12524

CVE, Research URL

CVE-2025-12524

Home page URL

Security reports for Post Type Switcher

Application

Post Type Switcher

Published on
Nov 18, 2025
Research Description
The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact.
Affected versions
max 4.0.1.
Status
vulnerable
Previous vulnerability researches
Advanced Flamingo (CVE-2023-52226) , Jun 07, 2024
Flamingo , Apr 16, 2025
Flamingo (022a9997dfc335fe7d818f90b085eb691dd3ba3c) , Jun 07, 2024
New vulnerability
Lucky Wheel for WooCommerce – Spin a Sale (CVE-2025-14509) , Jan 10, 2026
WP Voting Contest Lite (CVE-2025-60086) , Jan 10, 2026
Custom Related Posts (CVE-2025-68033) , Jan 10, 2026
Image Photo Gallery Final Tiles Grid (CVE-2025-13693) , Jan 10, 2026
Image Photo Gallery Final Tiles Grid (CVE-2025-14455) , Jan 10, 2026