Overview A significant security vulnerability, identified as CVE-2025-13141, has been discovered in the HT Mega – Absolute Addons For Elementor plugin for WordPress. This vulnerability affects all versions up to and including 3.0.0. It’s a Stored Cross-Site Scripting (XSS) flaw that allows authenticated attackers, with contributor-level access or higher, to inject malicious JavaScript code into pages. This code will then execute whenever a user accesses those pages, potentially leading to account compromise or other malicious actions. Technical Details The vulnerability stems from insufficient input validation when processing user-supplied HTML tag names within the plugin’s Gutenberg blocks. Specifically, the lack of…
-
-
Overview CVE-2025-12039 is a medium severity vulnerability affecting the BigBuy Dropshipping Connector for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to perform IP address spoofing, potentially gaining unauthorized access to sensitive information, specifically the output of phpinfo(). The vulnerability exists in versions up to and including 2.0.5. Technical Details The vulnerability stems from insufficient IP address validation within the plugin’s API controller. The plugin relies heavily on user-supplied HTTP headers (such as X-Forwarded-For or Client-IP) to determine the client’s IP address. Without proper sanitization or validation of these headers, an attacker can inject a malicious IP address, leading…
-
Overview CVE-2025-11973 identifies a critical Arbitrary File Read vulnerability affecting the 简数采集器 WordPress plugin. This vulnerability exists in versions up to and including 2.6.3. It allows authenticated attackers with Administrator-level access or higher to potentially read sensitive files on the server. This vulnerability stems from insecure handling of the __kds_flag functionality when importing featured images. Technical Details The vulnerability lies within the __kds_flag functionality, used to import featured images. Due to insufficient input validation and sanitization, an attacker with administrative privileges can manipulate the file path provided to the import function. By crafting a specific request, an attacker can bypass…
-
Overview A critical security vulnerability, identified as CVE-2025-11826, has been discovered in the WP Company Info plugin for WordPress. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw affecting versions up to and including 1.9.0. The vulnerability arises due to insufficient input sanitization and output escaping in the ‘class’ attribute of the ‘social-networks’ shortcode. Technical Details The WP Company Info plugin allows users to display company information and social media links on their WordPress site. The ‘social-networks’ shortcode provides functionality to render these links. However, the plugin fails to properly sanitize user-supplied input within the ‘class’ attribute of this shortcode.…
-
Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Shortcode for Google Street View plugin for WordPress. This vulnerability, tracked as CVE-2025-11808, affects all versions up to and including 0.5.7. It allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages. This code will then execute whenever a user visits the affected page, potentially leading to account compromise or other malicious activities. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the ‘streetview’ shortcode. Specifically, the ‘id’ attribute is not properly sanitized before being rendered in the…
-
Overview CVE-2025-11803 identifies a Stored Cross-Site Scripting (XSS) vulnerability found in the WPSite Shortcode plugin for WordPress. This vulnerability affects all versions up to and including 1.2. It allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into website pages. When a user visits the injected page, the malicious script executes, potentially leading to account compromise, data theft, or other harmful actions. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the plugin’s shortcode functionality. Specifically, the ‘format’ attribute in the wpsite_y shortcode and the ‘before’ attribute in the wpsite_postauthor shortcode are…
-
Overview A critical vulnerability, identified as CVE-2025-13322, has been discovered in the WP AUDIO GALLERY plugin for WordPress. This vulnerability allows authenticated attackers (subscriber-level access and above) to delete arbitrary files on the server due to insufficient file path validation. This flaw can easily lead to remote code execution by deleting critical files such as wp-config.php. Technical Details The vulnerability exists in all versions of the WP AUDIO GALLERY plugin up to, and including, version 2.0. The issue stems from the wpag_uploadaudio_callback() AJAX handler, which is responsible for handling audio uploads. This handler does not properly validate user-supplied file paths…
-
Overview CVE-2025-13159 describes a critical Stored Cross-Site Scripting (XSS) vulnerability found in the Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress, affecting versions up to and including 1.0.43. This vulnerability allows unauthenticated attackers to inject malicious JavaScript code into the WordPress admin interface, potentially leading to full site compromise. Technical Details The vulnerability stems from the plugin’s handling of SVG file uploads via an unauthenticated AJAX endpoint, specifically flo_form_submit. The plugin lacks proper validation of the SVG file content, allowing attackers to upload malicious SVG files containing embedded JavaScript. When an administrator views the uploaded file…
-
Overview CVE-2025-13142 describes a Cross-Site Request Forgery (CSRF) vulnerability found in the Custom Post Type plugin for WordPress, affecting all versions up to and including version 1.0. This vulnerability allows unauthenticated attackers to potentially delete custom post types by tricking a site administrator into clicking a malicious link or performing an unintended action. Due to the absence of proper nonce validation on the custom post type deletion functionality, an attacker can forge a request that, when executed by an authenticated administrator, leads to the deletion of a custom post type. Technical Details The vulnerability resides in the lack of nonce…
-
Overview CVE-2025-13135 identifies a Stored Cross-Site Scripting (XSS) vulnerability affecting the HotelRunner Booking Widget plugin for WordPress. This vulnerability resides within the plugin’s ‘hotelrunner’ shortcode and impacts all versions up to and including 5.2.4. Due to insufficient input sanitization and output escaping, authenticated attackers with contributor-level access or higher can inject malicious web scripts into WordPress pages. When other users visit these compromised pages, the injected scripts execute, potentially leading to account compromise, data theft, or website defacement. Technical Details The vulnerability stems from the plugin’s failure to properly sanitize and escape user-supplied attributes within the ‘hotelrunner’ shortcode. Specifically, an…