Overview CVE-2025-13622 identifies a Reflected Cross-Site Scripting (XSS) vulnerability present in the Jabbernotification plugin for WordPress. This vulnerability affects all versions up to and including 0.99-RC2. It stems from insufficient input sanitization and output escaping within the plugin’s admin.php file when processing the PATH_INFO variable. This allows attackers to inject malicious JavaScript code into web pages, which can execute if a user interacts with a crafted link. Unauthenticated attackers can exploit this by tricking users into clicking a malicious link. Technical Details The vulnerability resides in the way the Jabbernotification plugin handles the PATH_INFO variable within the admin.php file. Specifically,…
-
-
Overview A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Dream Gallery plugin for WordPress, tracked as CVE-2025-13621. This vulnerability affects all versions of the plugin up to and including version 1.0. Due to missing or inadequate nonce validation on the ‘dreampluginsmain’ AJAX action, unauthenticated attackers can potentially modify the plugin’s settings and inject malicious web scripts by crafting a forged request. The success of this attack relies on tricking a site administrator into unknowingly triggering the request, for instance, by clicking a malicious link. Technical Details The vulnerability stems from the lack of proper nonce validation within…
-
Overview A medium-severity security vulnerability, identified as CVE-2025-12368, has been discovered in the Sermon Manager plugin for WordPress. This vulnerability exposes websites using the plugin to Stored Cross-Site Scripting (XSS) attacks. All versions of the plugin up to and including 2.30.0 are affected. This article provides an overview of the vulnerability, technical details, potential impact, and steps to mitigate the risk. Technical Details The vulnerability lies within the sermon-views shortcode. Insufficient input sanitization and output escaping on user-supplied attributes within this shortcode allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages or posts. Specifically,…
-
Overview CVE-2025-12189 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the “Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents” WordPress plugin. This vulnerability exists in all versions up to, and including, 7.10.1321. Successful exploitation could allow unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE). Technical Details The vulnerability lies in the uploadImage() function within the Bread & Butter plugin. The function lacks proper nonce validation, making it susceptible to CSRF attacks. An attacker can craft a malicious request and trick a WordPress administrator into executing it…
-
Overview A high-severity vulnerability, tracked as CVE-2025-12181, has been identified in the ContentStudio plugin for WordPress. This vulnerability allows authenticated users with Author-level access and above to upload arbitrary files to the affected WordPress server. This is due to missing file type validation in the cstu_update_post() function. Successful exploitation of this vulnerability could lead to remote code execution (RCE), posing a significant risk to the affected website. Technical Details The vulnerability resides within the cstu_update_post() function in the ContentStudio plugin. Specifically, the plugin fails to properly validate the type of files being uploaded. An authenticated attacker with Author-level permissions or…
-
Overview A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Omnipress WordPress plugin. This vulnerability, tracked as CVE-2025-12163, affects versions up to and including 1.6.3. It allows authenticated attackers with Author-level permissions or higher to inject arbitrary web scripts into SVG files uploaded through the plugin. These scripts will then execute whenever a user accesses the affected SVG file. Technical Details The vulnerability stems from insufficient input sanitization and output escaping during the processing of SVG file uploads. Specifically, the Omnipress plugin fails to properly sanitize user-supplied data within SVG files before storing them on the server. This…
-
Overview A critical vulnerability, identified as CVE-2025-12154, has been discovered in the Auto Thumbnailer plugin for WordPress. This flaw allows authenticated attackers, with Contributor-level access or higher, to upload arbitrary files to the affected WordPress server. Due to the lack of proper file type validation, this can lead to remote code execution (RCE), potentially granting attackers full control of the compromised website. Technical Details The vulnerability resides in the uploadThumb() function within the Auto Thumbnailer plugin. The function lacks adequate validation of the file type being uploaded. An attacker can exploit this by uploading a malicious file (e.g., a PHP…
-
Overview A critical security vulnerability, identified as CVE-2025-12153, has been discovered in the Featured Image via URL plugin for WordPress. This vulnerability allows authenticated attackers with Contributor-level access or higher to upload arbitrary files to the affected WordPress server. This could potentially lead to remote code execution (RCE) and full compromise of the website. All versions of the Featured Image via URL plugin up to and including version 0.1 are affected. Technical Details The vulnerability stems from a missing file type validation function within the plugin. When uploading a featured image via URL, the plugin fails to properly verify the…
-
Overview A medium severity vulnerability, identified as CVE-2025-12133, has been discovered in the EPROLO Dropshipping plugin for WordPress. This vulnerability affects versions up to and including 2.3.1 and allows authenticated attackers with Subscriber-level access or higher to modify and delete tracking data. This can lead to data manipulation and potential supply chain disruptions for WooCommerce store owners using the plugin. Technical Details The vulnerability stems from a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints. These endpoints are responsible for deleting and saving tracking information associated with orders managed through the EPROLO Dropshipping plugin. Due to the lack…
-
Overview CVE-2025-12128 identifies a Cross-Site Request Forgery (CSRF) vulnerability present in the “Hide Categories Or Products On Shop Page” WordPress plugin. This security flaw affects all versions up to and including version 1.0.7. The vulnerability stems from a lack of proper nonce validation within the save_data_hcps() function. This allows an unauthenticated attacker to potentially modify the plugin’s settings by crafting a malicious request and tricking a logged-in administrator into executing it (e.g., by clicking a link). Technical Details The core of the vulnerability lies in the save_data_hcps() function, which is responsible for saving the plugin’s configuration settings. The absence of…