Overview A high-severity security vulnerability, identified as CVE-2025-13357, has been discovered in HashiCorp Vault’s Terraform Provider. This flaw resides within the LDAP auth method configuration and could potentially allow attackers to bypass authentication under specific circumstances. It is highly recommended to upgrade to Vault Terraform Provider v5.5.0 as soon as possible to remediate this issue. Technical Details The vulnerability stems from an incorrect default setting for the deny_null_bind parameter in the LDAP auth method configuration within the Vault Terraform Provider. The provider incorrectly defaulted this parameter to false. If the underlying LDAP server permits anonymous or unauthenticated binds (null binds),…

Overview A significant security vulnerability, identified as CVE-2025-11127, has been discovered in the Mstoreapp Mobile App WordPress plugin (versions up to 2.08) and Mstoreapp Mobile Multivendor plugin (versions up to 9.0.1). This flaw allows unauthenticated attackers to retrieve valid user sessions simply by knowing a user’s email address. This poses a serious risk to website security and user data. Technical Details The vulnerability lies in the improper handling of AJAX actions within the Mstoreapp plugins. Specifically, the plugins fail to adequately verify the identity of users when processing AJAX requests. This allows an unauthenticated user to craft a malicious request…

Overview This article provides an in-depth analysis of CVE-2025-66115, a critical Local File Inclusion (LFI) vulnerability identified in the Easy Invoice WordPress plugin. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating the filename used in PHP’s include/require statements. The affected versions of Easy Invoice are versions 2.1.4 and earlier. Technical Details CVE-2025-66115 stems from an “Improper Control of Filename for Include/Require Statement” vulnerability. This means the Easy Invoice plugin doesn’t adequately sanitize or validate user-supplied input that is then used as part of a file path in a PHP `include`, `require`, `include_once`, or `require_once`…

Overview CVE-2025-66114 identifies a critical security vulnerability affecting the “Show Variations as Single Products Woocommerce” plugin, also known as woo-show-single-variations-shop-category, for WordPress WooCommerce. This vulnerability, classified as a Missing Authorization issue, allows for the potential exploitation of incorrectly configured access control security levels. Specifically, versions up to and including 2.0 are affected. Technical Details The vulnerability stems from a lack of proper authorization checks within the plugin’s code. This allows unauthorized users to potentially access or manipulate product variations that should be restricted to specific user roles or administrative access. While the specific exploitation vector requires further investigation of the…

Published: 2025-11-21 Overview This article details a critical security vulnerability, identified as CVE-2025-66113, affecting the Better Chat Support for Messenger WordPress plugin. This vulnerability is a Missing Authorization issue that allows for Exploiting Incorrectly Configured Access Control Security Levels. Successful exploitation could lead to unauthorized access and modification of sensitive plugin data or functionality. The affected versions of the Better Chat Support for Messenger plugin are from n/a through version 1.2.18. Technical Details CVE-2025-66113 stems from a Missing Authorization vulnerability within the Better Chat Support for Messenger plugin. The plugin fails to properly validate user permissions before granting access to…

Overview This article provides an in-depth analysis of CVE-2025-66112, a critical security vulnerability identified in the WebToffee Accessibility Toolkit (also known as Accessibility Toolkit by WebYes accessibility-plus) WordPress plugin. This vulnerability exposes WordPress sites using the plugin to potential unauthorized access and manipulation due to a missing authorization check. The affected versions of the plugin are from n/a through and including version 2.0.4. Website administrators using these versions are strongly advised to update to a patched version as soon as possible. Technical Details CVE-2025-66112 is classified as a Missing Authorization vulnerability, categorized under “Exploiting Incorrectly Configured Access Control Security Levels.”…

Overview A Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66111, has been discovered in the Nelio Popups WordPress plugin. This vulnerability affects versions 1.3.0 and below. A successful exploit could allow attackers to inject malicious scripts into the plugin’s settings, which are then executed in the browsers of other users who access the affected WordPress dashboard. This can lead to various malicious activities, including account compromise and malware distribution. Technical Details The vulnerability resides in the improper neutralization of user-supplied input during web page generation within the Nelio Popups plugin. Specifically, the plugin fails to adequately sanitize input fields used…

Overview CVE-2025-66110 describes a missing authorization vulnerability discovered in the bPlugins Tiktok Feed plugin for WordPress. This vulnerability, affecting versions up to and including 1.0.22, allows attackers to potentially exploit incorrectly configured access control security levels. This could lead to unauthorized access and modification of plugin settings or data. Technical Details The vulnerability stems from a lack of proper authorization checks within the plugin’s code. Specifically, certain functions or endpoints responsible for managing the TikTok feed configuration do not adequately verify the user’s permissions before executing privileged operations. This allows an attacker, possibly with lower-level privileges or even without authentication,…

Overview CVE-2025-66109 describes a Missing Authorization vulnerability found in the Cart Weight for WooCommerce plugin, specifically affecting versions up to and including 1.9.11. This vulnerability allows attackers to potentially exploit incorrectly configured access control security levels, potentially leading to unauthorized actions or data access within the WooCommerce environment. Technical Details The vulnerability stems from a lack of proper authorization checks within the Cart Weight for WooCommerce plugin. Specifically, the plugin fails to adequately verify user permissions before allowing certain actions related to cart weight management. This allows an attacker, possibly with minimal privileges, to bypass intended security measures and perform…

Overview A significant security vulnerability, identified as CVE-2025-66108, has been discovered in the TNC Toolbox: Web Performance WordPress plugin developed by Merlot Digital (by TNC). This “Missing Authorization” vulnerability allows for potential exploitation of incorrectly configured access control security levels. The affected versions of the plugin are from n/a through version 2.0.4. Technical Details The vulnerability stems from a lack of proper authorization checks within the TNC Toolbox: Web Performance plugin. This means that certain functionalities or data, which should be restricted to specific user roles or permissions, are accessible without proper authentication or authorization. An attacker could potentially leverage…