Overview This article details an Open Redirect vulnerability, identified as CVE-2025-66062, affecting the WP YouTube Lyte WordPress plugin. Specifically, versions up to and including 1.7.28 are susceptible. This vulnerability allows attackers to potentially redirect users to malicious websites, making it a phishing risk. Technical Details CVE-2025-66062 describes an ‘Open Redirect’ vulnerability. This means the WP YouTube Lyte plugin improperly validates URLs, allowing an attacker to craft a malicious link that, when clicked, redirects the user to an attacker-controlled site. The vulnerability exists because the plugin handles user-supplied input in a way that doesn’t sufficiently sanitize the destination URL during redirection.…

Overview This article provides information about CVE-2025-66061, a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Seriously Simple Podcasting WordPress plugin. This vulnerability affects versions up to and including 3.13.0. CSRF vulnerabilities can allow attackers to perform actions on behalf of legitimate users without their knowledge or consent. Technical Details CVE-2025-66061 describes a Cross-Site Request Forgery (CSRF) vulnerability within the Seriously Simple Podcasting plugin. CSRF attacks exploit the trust a website has in a user’s browser. An attacker can craft a malicious web page or email that, when visited or opened by an authenticated user, sends unauthorized requests to the…

Overview CVE-2025-66060 details a Missing Authorization vulnerability affecting the Seriously Simple Podcasting plugin for WordPress. This vulnerability allows attackers to potentially exploit incorrectly configured access control security levels. The affected versions of the plugin are from n/a through version 3.13.0. Technical Details The “Missing Authorization” vulnerability, often referred to as Broken Access Control, stems from inadequate checks on user permissions before allowing certain actions. In the context of the Seriously Simple Podcasting plugin, this could mean that users with insufficient privileges are able to access or modify sensitive settings, podcast episodes, or other functionalities that should be restricted to administrators…

Overview A vulnerability has been discovered in the Seriously Simple Podcasting WordPress plugin, potentially exposing sensitive system information to unauthorized access. This vulnerability, identified as CVE-2025-66059, affects versions up to and including 3.13.0. Successful exploitation could allow attackers to retrieve embedded sensitive data that should not be publicly accessible. Technical Details CVE-2025-66059 involves an “Exposure of Sensitive System Information to an Unauthorized Control Sphere” vulnerability. The specifics suggest that the plugin, in versions 3.13.0 and earlier, may not adequately sanitize or restrict access to certain system information. This allows an attacker to potentially extract sensitive data, such as configuration details,…

Overview A Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66057, has been discovered in the Bold Page Builder WordPress plugin. Specifically, this is a DOM-Based XSS vulnerability, affecting versions up to and including 5.5.2. This vulnerability allows attackers to inject malicious scripts into web pages, potentially compromising user data and website integrity. Technical Details CVE-2025-66057 is a DOM-Based XSS vulnerability. This means the vulnerability resides in client-side JavaScript code that improperly handles user-supplied input. An attacker can craft a malicious URL or manipulate existing page elements to inject arbitrary JavaScript code that will be executed within the user’s browser. The input…

Overview CVE-2025-66056 details a sensitive data exposure vulnerability affecting the Uncanny Owl Uncanny Automator WordPress plugin. This vulnerability, classified as allowing “Retrieve Embedded Sensitive Data,” impacts versions prior to 6.10.0. An unauthorized control sphere can potentially gain access to sensitive system information. This article provides a comprehensive breakdown of the vulnerability, its potential impact, and recommended mitigation steps. Technical Details The vulnerability, as reported, resides in the way Uncanny Automator handles sensitive data. Specifically, embedded sensitive data can be accessed without proper authorization. The exact mechanisms by which this data is exposed are not explicitly detailed in the initial vulnerability…

Overview This article details a critical security vulnerability, CVE-2025-66055, affecting the Email Subscribers & Newsletters plugin for WordPress. This vulnerability, a Deserialization of Untrusted Data issue, allows for Object Injection and impacts versions up to and including 5.9.10. It is crucial for website administrators using this plugin to understand the risks and take immediate action to mitigate them. Technical Details The vulnerability stems from the insecure handling of deserialized data. The Email Subscribers & Newsletters plugin, in versions 5.9.10 and earlier, fails to properly sanitize data before deserialization. An attacker could potentially inject malicious PHP objects into the application’s memory…

Overview A Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66053, has been discovered in the Kriesi Enfold WordPress theme. This vulnerability affects versions 7.1.2 and earlier. Stored XSS vulnerabilities allow attackers to inject malicious scripts that are permanently stored on the server (e.g., in the database). When other users access the affected pages, these scripts are executed in their browsers, potentially leading to data theft, session hijacking, or website defacement. Technical Details The vulnerability stems from the improper neutralization of user-supplied input during web page generation. Specifically, the Enfold theme fails to adequately sanitize certain input fields, allowing attackers to…

Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress. Designated as CVE-2025-12935, this vulnerability affects all versions up to and including 2.9.84. It allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages. This injected code can then execute whenever a user views the affected page, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes within the…

Overview CVE-2025-10054 is a security vulnerability identified in the ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access (or higher) to escalate their privileges by removing the roles and capabilities of administrative users, WSDesk Supervisors, or WSDesk Agents. This can lead to a complete takeover of the affected WordPress site. The vulnerability resides within the eh_crm_remove_agent function and stems from a missing capability check, allowing unauthorized users to manipulate user roles. Technical Details The vulnerability lies in the eh_crm_remove_agent function within the class-crm-ajax-functions-two.php file of the ELEX WordPress HelpDesk plugin. Prior…