Security Alert Summary
The Phrase TMS Integration for WordPress plugin contains a missing capability check on an AJAX endpoint that allows authenticated users with Subscriber-level access and above to delete log files. The issue affects versions up to and including 4.7.5 and may be used to remove audit or diagnostic logs from a site.
CVE Details
- CVE ID: CVE-2025-12168
- Affected plugin/component: Phrase TMS Integration for WordPress plugin
- Affected versions: All versions up to and including 4.7.5 (as stated in the CVE entry)
- Published: January 17, 2026 at 5:16:08 AM UTC
- Last modified: January 17, 2026 at 5:16:08 AM UTC
- CVSS v3.1: Base Score 4.3, Severity MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Authentication / privileges / user interaction: Requires an authenticated user (Subscriber-level access and above, per the description). CVSS lists Privileges Required: LOW and User Interaction: NONE.
- Primary impact: Confidentiality: NONE; Integrity: LOW (deletion/modification of log files); Availability: NONE
- CWE / weakness: CWE-862 (authorization bypass)
Technical Details
The vulnerability is caused by a missing capability check on the wp_ajax_delete_log AJAX endpoint. Because the endpoint does not verify that the requesting user has the appropriate capability, authenticated users with Subscriber-level access or higher can invoke the action and delete log files. The CVE description specifies this behavior for all plugin versions up to and including 4.7.5.
The direct impact described is removal of log files. This alters integrity of logging/audit data and can impede investigation or detection of other malicious activity. No disclosure in the CVE indicates confidential data exposure or availability disruption beyond the deletion of logs.
How This Could Impact Your Website
In a typical WordPress environment, the site owner and administrator rely on logs to track plugin actions, edits, and integration events. An internal contributor or an external contractor with a Subscriber-level account could trigger the vulnerable AJAX endpoint to delete log files. That deletion would remove records needed for auditing and incident response, making it harder to identify when or how other changes were made.
Practical consequences include loss of forensic information and a reduced ability to determine the timeline of changes or troubleshoot integration issues. This does not, based on the CVE details, indicate disclosure of user data or a complete site compromise, but it does weaken your ability to detect and respond to other problems.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (the CVE does not specify a fixed version).
- Review and reduce unnecessary user roles, especially accounts with Contributor or higher privileges.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce your attack surface.
- Monitor site activity and logs for unusual behavior; consider external logging or backups of log data to prevent loss.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.