Overview CVE-2025-12373 details a Cross-Site Request Forgery (CSRF) vulnerability affecting the Torod – The smart shipping and delivery portal for e-shops and retailers plugin for WordPress. All versions up to and including version 1.9 are affected. This flaw allows an unauthenticated attacker to potentially modify the plugin’s settings by tricking a site administrator into performing an unintended action, such as clicking a malicious link. Technical Details The vulnerability resides within the save_settings function of the Torod plugin. The core issue is the absence of proper nonce validation. Nonces are cryptographic tokens designed to prevent CSRF attacks by ensuring that requests…

Overview CVE-2025-12355 identifies a medium-severity vulnerability affecting the Payaza WordPress plugin, versions up to and including 0.3.8. This flaw allows unauthenticated attackers to modify order statuses due to a missing capability check on the wp_ajax_nopriv_update_order_status AJAX endpoint. This means anyone can potentially change the status of orders processed through your website without needing any valid user credentials. This can lead to significant disruptions and potential fraud. Technical Details The vulnerability lies within the wp_ajax_nopriv_update_order_status AJAX action, which is intended to be used to update the status of orders. Due to the lack of proper authentication checks (specifically, a missing capability…

Overview CVE-2025-12354 is a medium-severity security vulnerability affecting the Live CSS Preview WordPress plugin. This flaw allows authenticated attackers with Subscriber-level access (or higher) to modify the plugin’s CSS settings. This can lead to potential defacement of the website, CSS injection attacks, or other malicious activities leveraging the altered CSS. Technical Details The vulnerability lies in the lack of a proper capability check on the wp_ajax_frontend_save AJAX endpoint. Specifically, versions up to and including 2.0.0 of the Live CSS Preview plugin do not verify if the user attempting to access and utilize this endpoint possesses the necessary privileges to modify…

Overview CVE-2025-12186 identifies a Stored Cross-Site Scripting (XSS) vulnerability within the Weekly Planner plugin for WordPress. This flaw affects versions up to and including 1.0. The vulnerability allows authenticated attackers with administrator-level permissions (or above) to inject malicious JavaScript code into the plugin’s settings. This injected script will then execute whenever a user accesses a page or area where the plugin renders these compromised settings. Crucially, this vulnerability primarily affects multi-site WordPress installations and single-site installations where the unfiltered_html capability has been disabled. Technical Details The root cause of this vulnerability lies in the insufficient input sanitization and output escaping…

Overview A significant security vulnerability, identified as CVE-2025-12093, has been discovered in the Voidek Employee Portal plugin for WordPress. This vulnerability allows unauthenticated attackers to perform actions such as registering accounts, deleting users, and modifying details within the employee portal. This poses a serious risk to the security and integrity of websites utilizing the affected plugin. Technical Details CVE-2025-12093 stems from a missing capability check on several AJAX actions within the Voidek Employee Portal plugin. Specifically, versions up to and including 1.0.6 are vulnerable. The lack of proper authentication checks means that attackers can bypass normal access controls and directly…

This article provides a detailed analysis of CVE-2025-66270, a medium severity vulnerability affecting KDE Connect and related applications. Understanding this vulnerability is crucial for users and administrators to ensure the security of their systems. Overview CVE-2025-66270 describes a flaw in the KDE Connect protocol 8 where device IDs are not properly correlated across different packets. This can potentially lead to security issues due to the inability to reliably identify and verify the source of communication. This vulnerability affects various implementations of KDE Connect, including the desktop version, iOS and Android apps, as well as GSConnect and Valent. Technical Details The…

Overview CVE-2025-32900 is a medium severity vulnerability affecting the KDE Connect information-exchange protocol. This vulnerability allows an attacker to craft a malicious packet that can temporarily change the displayed information about a device connected to the KDE Connect network. This is possible due to the use of broadcast UDP for communication within the KDE Connect protocol. The vulnerability affects various KDE Connect implementations across different platforms. Technical Details The vulnerability stems from the way KDE Connect utilizes broadcast UDP for device discovery and information exchange. An attacker on the same network can send a specially crafted UDP packet that mimics…

Overview CVE-2025-13860 describes a stored Cross-Site Scripting (XSS) vulnerability found in the Easy Jump Links Menus plugin for WordPress. This vulnerability affects all versions up to and including 1.0.0. The flaw stems from insufficient input sanitization and output escaping of the h_tags parameter. Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to inject malicious JavaScript code into pages. When a user visits a page containing the injected script, the script will execute in their browser, potentially allowing the attacker to steal sensitive information, redirect the user to a malicious website, or perform actions on behalf of the…

Overview A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the WP-SOS-Donate Donation Sidebar Plugin for WordPress, tracked as CVE-2025-13625. This vulnerability affects all versions up to and including 0.9.2. Due to insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter, unauthenticated attackers can inject arbitrary web scripts into pages. This script executes if a user is tricked into performing an action, such as clicking a malicious link. Technical Details The vulnerability resides within the wp-sos-donate_options.php file of the WP-SOS-Donate plugin. The $_SERVER['PHP_SELF'] variable, which contains the filename of the currently executing script, is not properly sanitized before…

Overview A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Twitscription plugin for WordPress. This vulnerability, tracked as CVE-2025-13623, affects all versions up to and including 0.1.1. Unauthenticated attackers can leverage this flaw to inject arbitrary web scripts into vulnerable pages. If a user clicks a malicious link, the injected script can execute, potentially compromising their session or performing actions on their behalf. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the admin.php file, specifically when handling the PATH_INFO variable. The Twitscription plugin fails to properly sanitize and encode user-supplied data passed through…