CVE-2025-12157: 
WordPress vulnerability analysis and mitigation

The Simple User Capabilities plugin for WordPress contains a missing authorization vulnerability (CVE-2025-12157) discovered on November 3, 2025. The vulnerability affects all versions up to and including 1.0, where a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint allows unauthorized access (NVD).

The vulnerability stems from a missing capability check on the 'wp_ajax_nopriv_reset_capability' AJAX endpoint, which enables unauthenticated attackers to reset any user's capabilities. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The weakness is classified as CWE-862 (Missing Authorization) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to reset any user's capabilities within the WordPress installation, potentially leading to unauthorized modification of user permissions and compromising the security of the affected website (NVD).

The plugin has been temporarily closed as of October 30, 2025, pending a full security review. Users are advised to remove the plugin until a patched version becomes available (WordPress Plugin).

The plugin has received positive reviews for its user role customization features before the vulnerability was discovered, with users praising its ease of use and powerful customization options (WordPress Plugin).