Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Thai Lottery Widget plugin for WordPress, tracked as CVE-2025-13678. This vulnerability affects versions 2.5 and earlier of the plugin. It allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into WordPress pages. This code will then execute whenever a user visits the affected page, potentially leading to account compromise, data theft, or website defacement. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of the width and height attributes used within the thailottery shortcode. The plugin fails to properly validate these…
-
-
Overview CVE-2025-13614 identifies a significant Stored Cross-Site Scripting (XSS) vulnerability affecting the Cool Tag Cloud plugin for WordPress. This vulnerability exists in versions up to and including 2.29. By exploiting this flaw, authenticated attackers with Contributor-level access or higher can inject malicious JavaScript code into WordPress pages. When unsuspecting users visit these compromised pages, the injected scripts will execute, potentially leading to data theft, account compromise, or website defacement. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the ‘cool_tag_cloud’ shortcode. Specifically, the plugin fails to properly cleanse user-supplied attributes before rendering them in the HTML…
-
Overview A high-severity Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-12879, has been discovered in the User Generator and Importer plugin for WordPress. This vulnerability affects versions up to and including 1.2.2. Exploitation allows unauthenticated attackers to potentially elevate user privileges by creating arbitrary administrator accounts, provided they can successfully trick a site administrator into clicking a malicious link or performing another action that triggers a forged request. Technical Details The vulnerability stems from a lack of proper nonce validation within the “Import Using CSV File” functionality of the User Generator and Importer plugin. Specifically, the user-generator.php file, around line…
-
Overview CVE-2025-12876 is a medium severity vulnerability affecting the Projectopia – WordPress Project Management plugin for WordPress. This vulnerability allows unauthenticated attackers to delete arbitrary attachments on a WordPress site running a vulnerable version of the plugin. Specifically, versions up to and including 5.1.19 are affected. The root cause is a missing capability check on the pto_delete_file AJAX action. Technical Details The vulnerability stems from the pto_delete_file AJAX action within the Projectopia plugin. This action is intended to allow authorized users to delete files associated with projects. However, due to the absence of a proper capability check before executing the…
-
Overview A critical security vulnerability, identified as CVE-2025-12851, has been discovered in the My Auctions Allegro plugin for WordPress. This vulnerability, a Local File Inclusion (LFI) flaw, affects all versions of the plugin up to and including 3.6.32. Unauthenticated attackers can exploit this flaw to include and execute arbitrary files on the server, potentially leading to complete system compromise. Technical Details The vulnerability stems from improper input validation in the ‘controller’ parameter. An attacker can manipulate this parameter to point to local files on the server. Because the plugin fails to adequately sanitize this input, it allows the inclusion of…
-
Overview This article details a Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-13684, affecting the ARK Related Posts plugin for WordPress. Version 2.19 of the plugin is susceptible to this vulnerability, allowing unauthenticated attackers to potentially modify the plugin’s configuration settings if they can trick a site administrator into clicking a malicious link or performing other actions that trigger a crafted request. Technical Details The vulnerability stems from the missing or insufficient nonce validation within the ark_rp_options_page function. Nonce validation is a crucial security measure that prevents attackers from forging requests on behalf of authenticated users. Without proper nonce validation,…
-
Overview CVE-2025-12130 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress. This vulnerability exists in versions up to and including 2.6.4. It allows unauthenticated attackers to potentially delete vendor products from a WooCommerce store if they can successfully trick a site administrator into performing an unintended action, such as clicking a malicious link. Technical Details The vulnerability stems from missing or insufficient nonce validation on the /vendor_dashboard/product/delete/ endpoint. Nonces are cryptographic tokens designed to prevent CSRF attacks. Without proper nonce validation, an attacker can craft a malicious request…
-
Overview CVE-2025-13515 is a security vulnerability affecting the Nouri.sh Newsletter plugin for WordPress. Specifically, it’s a Reflected Cross-Site Scripting (XSS) vulnerability present in all versions up to and including 1.0.1.3. This flaw allows unauthenticated attackers to potentially inject malicious JavaScript code into web pages that are then executed in a user’s browser, given the user is tricked into interacting with a crafted link. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the plugin’s code. The `$_SERVER[‘PHP_SELF’]` parameter is used without proper validation. This allows an attacker to craft a URL containing malicious JavaScript code. When…
-
Overview A critical SQL Injection vulnerability, identified as CVE-2025-12850, has been discovered in the My Auctions Allegro plugin for WordPress. This vulnerability affects all versions up to and including 3.6.32. Unauthenticated attackers can exploit this flaw to inject malicious SQL queries, potentially leading to sensitive data extraction from the WordPress database. Immediate action is required to update the plugin and mitigate the risk. Technical Details The vulnerability stems from insufficient escaping of the auction_id parameter and a lack of proper preparation in the existing SQL query within the My Auctions Allegro plugin. An attacker can manipulate the auction_id parameter to…
-
Overview A critical vulnerability, identified as CVE-2025-12374, has been discovered in the “Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification” plugin for WordPress. This flaw allows unauthenticated attackers to bypass the login process and gain access to accounts, potentially including administrator accounts, without providing a valid One-Time Password (OTP). Technical Details The vulnerability resides in the user_verification_form_wrap_process_otpLogin function of the plugin. Versions up to and including 2.0.39 are affected. The core issue is the lack of proper validation to ensure that an OTP was actually generated before comparing it against user-submitted input.…