Overview CVE-2025-41346 describes a critical authentication bypass vulnerability found in WinPlus v24.11.27, a software application developed by Informática del Este. This flaw allows an attacker to impersonate another user simply by knowing their numerical ID. Successfully exploiting this vulnerability grants the attacker unauthorized access to the victim’s account, compromising the confidentiality, integrity, and availability of the data stored within the application. Technical Details The vulnerability stems from a faulty authorization control mechanism within WinPlus v24.11.27. The application fails to adequately verify the identity of users during specific actions, relying solely on the user’s ‘numerical ID’ for authentication. An attacker can…
-
-
Overview CVE-2025-13196 is a MEDIUM severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Element Pack Addons for Elementor plugin for WordPress. This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into website pages. Specifically, it exists within the Open Street Map widget functionality. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of the marker content parameter within the Open Street Map widget. This widget is part of the Element Pack Addons for Elementor plugin. Attackers can inject malicious scripts into the marker content field. Due to the lack of proper…
-
Overview A critical security vulnerability, identified as CVE-2025-13133, has been discovered in the Simple User Import Export plugin for WordPress. This vulnerability exposes websites using the plugin to a potential CSV Injection attack. The vulnerability affects all versions up to and including 1.1.7. Authenticated attackers with Administrator-level access (or higher) can exploit this flaw to embed malicious code into exported CSV files. When these files are downloaded and opened on a local system with a vulnerable configuration (e.g., Microsoft Excel with default settings), the embedded code can be executed, potentially leading to a compromise of the user’s system. Technical Details…
-
Overview A high-severity vulnerability, identified as CVE-2025-13069, has been discovered in the Enable SVG, WebP, and ICO Upload plugin for WordPress. This vulnerability allows authenticated attackers with author-level access or higher to upload arbitrary files to the affected server. This is possible due to insufficient file type validation, specifically regarding ICO files. All versions of the plugin up to and including 1.1.2 are affected. Successful exploitation of this vulnerability can lead to remote code execution (RCE), posing a significant risk to the security of your WordPress website. Technical Details The core issue lies in the plugin’s inadequate validation of ICO…
-
Overview A critical vulnerability, identified as CVE-2025-12955, has been discovered in the Live Sales Notifications for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to access sensitive customer information due to a missing authorization check in the `getOrders` function. All versions up to and including 2.3.39 are affected. If you use this plugin, it is critical that you update to the latest version as soon as possible. Technical Details The vulnerability lies in the `getOrders` function of the plugin, which is responsible for retrieving recent order data to display in the live sales notifications. The plugin lacks proper authorization…
-
Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress. Tracked as CVE-2025-12691, this flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses a page containing the injected content. This vulnerability affects all versions of the Photonic Gallery plugin up to and including version 3.21. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of the user-supplied caption attribute within the plugin’s lightbox functionality. Specifically, when users create or…
-
Overview CVE-2025-12639 identifies an authorization bypass vulnerability affecting the wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress. This flaw allows authenticated attackers with subscriber-level access or higher to access sensitive information that they should not have access to. This includes user emails, usernames, roles, capabilities, and WooCommerce data like products and payment methods. This vulnerability exists in versions up to and including 1.2.2 of the plugin. Technical Details The vulnerability stems from the plugin’s improper verification of user authorization when handling AJAX requests. Specifically, the AJAX endpoint does not adequately check if the requesting user…
-
Overview CVE-2025-12481 is a medium-severity vulnerability affecting the WP Duplicate Page plugin for WordPress, specifically versions up to and including 1.7. This vulnerability stems from a missing authorization check in the ‘saveSettings’ function. An attacker with Contributor-level access or higher can exploit this to modify plugin settings, potentially leading to privilege escalation and unauthorized access to sensitive information. Technical Details The vulnerability resides in the insufficient authorization checks within the saveSettings function of the WP Duplicate Page plugin. Specifically, the plugin does not adequately verify if a user has the necessary permissions before allowing them to modify the plugin’s settings…
-
Overview This article details CVE-2025-12457, a Stored Cross-Site Scripting (XSS) vulnerability identified in the “Enable SVG, WebP, and ICO Upload” plugin for WordPress. This vulnerability allows authenticated attackers with Author-level access or higher to inject malicious JavaScript code into SVG files. When a user views these infected SVG files, the injected script will execute, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability exists because the plugin fails to properly sanitize user-supplied input during SVG file uploads and doesn’t adequately escape output when rendering these files. Specifically, versions of the plugin up to and…
-
Overview CVE-2025-12392 is a medium-severity security vulnerability affecting the Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to modify user tracking preferences (opt-in/opt-out) due to a missing capability check in the ‘handle_optin_optout’ function. All versions up to, and including, 2.0.22 are affected. Technical Details The vulnerability resides within the handle_optin_optout function of the plugin. Specifically, the function lacks proper authorization checks to verify if the user initiating the request has the necessary capabilities to modify tracking settings. As a result, an unauthenticated attacker can craft a malicious request to either opt-in or opt-out a user…