Overview CVE-2025-13389 identifies a critical vulnerability in the “Admin and Customer Messages After Order for WooCommerce: OrderConvo” plugin for WordPress. This flaw allows unauthenticated attackers to access sensitive WooCommerce order details and private conversation messages between customers and store administrators without proper authorization. Technical Details The vulnerability stems from a missing capability check on the get_order_by_id() function within the wprest.class.php file. Specifically, all versions of the plugin up to and including version 14 are affected. This oversight enables unauthenticated users to retrieve information about any order by simply providing its ID, bypassing the intended access controls. Affected file: includes/wprest.class.php Vulnerable…
-
-
Overview A critical vulnerability, identified as CVE-2025-13386, has been discovered in the Social Images Widget plugin for WordPress. This vulnerability allows unauthenticated attackers to potentially delete the plugin’s settings by exploiting a missing capability check. This poses a significant security risk, especially for websites relying on this plugin for displaying social media images. Technical Details The vulnerability stems from a missing capability check on the options_update function within the class-social-images-widget-settings.php file. This means that versions up to and including 2.1 of the Social Images Widget plugin do not properly verify if a user has the necessary permissions to modify the…
-
Overview CVE-2025-13385 details a time-based SQL Injection vulnerability found in the Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress. This vulnerability affects all versions up to, and including, 4.2. Exploitation of this vulnerability allows authenticated attackers with administrative privileges or higher to inject malicious SQL code, potentially leading to sensitive data extraction from the WordPress database. Technical Details The vulnerability resides within the `filter[status]` parameter used in the Bookings.php file of the Bookme plugin. Specifically, versions 4.2 and earlier suffer from insufficient input sanitization on the user-supplied `filter[status]` parameter. The lack of proper escaping and insufficient preparation…
-
Overview A critical security vulnerability, identified as CVE-2025-13383, has been discovered in the Job Board by BestWebSoft plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious JavaScript code that can execute in the browsers of legitimate users. Specifically, all versions of the plugin up to and including 1.2.1 are affected. This article provides a detailed analysis of the vulnerability, its potential impact, and instructions on how to mitigate the risk. Technical Details The vulnerability is a Stored Cross-Site Scripting (XSS) issue. It arises from the plugin’s practice of directly saving the entire $_GET superglobal array, unsanitized, into the…
-
Overview CVE-2025-13382 describes an Insecure Direct Object Reference (IDOR) vulnerability found in the Frontend File Manager Plugin for WordPress. All versions up to and including 23.4 are affected. This flaw allows authenticated attackers, even those with Subscriber-level access, to rename files uploaded by other users. This is due to insufficient validation of file ownership during file rename requests processed by the /wpfm/v1/file-rename REST API endpoint. Technical Details The vulnerability stems from the Frontend File Manager plugin’s lack of proper authorization checks when handling file rename requests. The /wpfm/v1/file-rename REST API endpoint allows users to rename files using the fileid parameter,…
-
Overview CVE-2025-13380 describes an arbitrary file read vulnerability found in the AI Engine for WordPress: ChatGPT, GPT Content Generator plugin for WordPress. This vulnerability affects all versions up to and including 1.0.1. An authenticated attacker with Contributor-level access or higher can exploit this flaw to read sensitive files on the server. This can lead to exposure of configuration files, database credentials, and other critical data. Technical Details The vulnerability stems from two main issues: Insufficient Validation in `lqdai_update_post` AJAX Endpoint: The plugin lacks proper validation of user-supplied file paths within the `lqdai_update_post` AJAX endpoint. This allows an attacker to manipulate…
-
Overview A critical security vulnerability, identified as CVE-2025-13376, has been discovered in the ProjectList WordPress plugin. This vulnerability allows authenticated attackers with Editor-level access or higher to upload arbitrary files to the affected WordPress site’s server. This could lead to remote code execution and complete compromise of the website. Technical Details The vulnerability stems from a lack of proper file type validation in the ProjectList plugin. Specifically, the pl-add.php page is vulnerable. Versions up to and including 0.3.0 are affected. The plugin fails to adequately check the file extension and content type of uploaded files, allowing malicious actors to bypass…
-
Overview This article details a medium-severity SQL Injection vulnerability identified as CVE-2025-13370, affecting the ProjectList WordPress plugin. All versions up to, and including, 0.3.0 are vulnerable. This flaw allows authenticated attackers with Editor-level access (or higher) to inject arbitrary SQL queries into existing queries, potentially leading to sensitive data extraction from the WordPress database. Technical Details CVE-2025-13370 is a time-based SQL Injection vulnerability found within the ‘id’ parameter of the ProjectList plugin. The vulnerability stems from inadequate input sanitization and insufficient preparation of the SQL query when processing the ‘id’ parameter. Specifically, the plugin fails to properly escape user-supplied data…
-
Stay informed about a significant security vulnerability, CVE-2025-13311, affecting the Just Highlight WordPress plugin. This article provides a comprehensive overview, technical analysis, and mitigation strategies to protect your WordPress site. Overview CVE-2025-13311 identifies a Stored Cross-Site Scripting (XSS) vulnerability within the Just Highlight plugin for WordPress. Versions up to and including 1.0.3 are susceptible. An authenticated attacker with administrator-level privileges or higher can inject malicious JavaScript code into the plugin’s settings, which will then be executed whenever another user (including administrators) accesses the plugin’s settings page. This can lead to account takeover, data theft, or other malicious activities. Technical Details…
-
Overview A critical security vulnerability, identified as CVE-2025-12645, has been discovered in the Inline Frame – Iframe plugin for WordPress. This flaw exposes websites to Stored Cross-Site Scripting (XSS) attacks. This article provides a detailed analysis of the vulnerability, its potential impact, and the necessary steps to mitigate the risk. Technical Details The vulnerability resides in the ’embedsite’ shortcode functionality of the Inline Frame – Iframe plugin, affecting all versions up to and including 0.1. The plugin fails to adequately sanitize user-supplied attributes within the shortcode. Specifically, when a user with contributor-level access or higher inserts the [embedsite] shortcode with…