Published: 2025-11-18 Overview CVE-2025-12411 is a high-severity SQL Injection vulnerability affecting the Premmerce Wholesale Pricing for WooCommerce plugin for WordPress, specifically versions up to and including 1.1.10. This vulnerability allows authenticated attackers with subscriber-level access or higher to execute arbitrary SQL queries, potentially leading to data breaches and website compromise. The vulnerability stems from insufficient input sanitization and inadequate SQL query preparation. Technical Details The vulnerability resides in the plugin’s handling of the ‘ID’ parameter within the admin-post.php script. Specifically, the premmerce_update_price_type action and the ‘price_type’ parameter of the “premmerce_delete_price_type” action are vulnerable. Lack of proper escaping of the ‘ID’…

Overview CVE-2025-12406 describes a Cross-Site Request Forgery (CSRF) vulnerability found in the Project Honey Pot Spam Trap plugin for WordPress. This vulnerability affects all versions of the plugin up to and including 1.0.1. Due to missing or insufficient nonce validation within the printAdminPage() function, an unauthenticated attacker can potentially manipulate the plugin’s settings and inject malicious web scripts. This requires tricking a site administrator into performing an action, such as clicking a malicious link. Technical Details The vulnerability stems from the lack of proper CSRF protection in the printAdminPage() function within the project_honey_pot.php file. Specifically, the code fails to validate…

Overview A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Like-it WordPress plugin, tracked as CVE-2025-12404. This vulnerability affects all versions of the plugin up to and including version 2.2. Successful exploitation of this vulnerability allows unauthenticated attackers to modify plugin settings and inject malicious web scripts if they can trick an administrator into performing an unintended action, such as clicking a specially crafted link. Technical Details The vulnerability stems from missing or inadequate nonce validation in the likeit_conf() function. This function handles the plugin’s configuration settings. The absence of proper nonce verification means that an attacker can…

Overview CVE-2025-12372 identifies a medium-severity vulnerability within the Permalinks Cascade plugin for WordPress. All versions up to and including version 2.2 are affected. This flaw stems from missing authorization checks, allowing authenticated attackers (subscriber level and above) to perform unauthorized administrative actions. Specifically, they can enable or disable automatic pinging settings and modify page exclusion settings. Technical Details The vulnerability lies within the handleTPCAdminAjaxRequest function of the Permalinks Cascade plugin. The plugin fails to properly verify that the user initiating the AJAX request has the necessary permissions to perform the requested action. This allows authenticated users with subscriber-level or higher…

Overview A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in the WP Admin Microblog plugin for WordPress. This vulnerability, identified as CVE-2025-12173, affects all versions up to and including 3.1.1. It allows unauthenticated attackers to potentially send messages on behalf of an administrator without their consent, provided they can trick the administrator into clicking a malicious link or performing another action that triggers a forged request. Technical Details The core issue lies in the lack of proper nonce validation on the ‘wp-admin-microblog’ page. Nonce validation is a crucial security measure that prevents attackers from forging requests by ensuring that…

Overview A reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12078, has been discovered in the ArtiBot Free Chat Bot for WebSites plugin for WordPress. This vulnerability affects all versions up to and including 1.1.7. Due to insufficient input sanitization and output escaping related to PostMessage handling, unauthenticated attackers can inject arbitrary web scripts into vulnerable pages. If a user is tricked into clicking a malicious link, the injected script will execute in their browser, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability resides in how the ArtiBot plugin processes data received via PostMessage.…

Overview This article details a stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-11868, affecting the Everviz plugin for WordPress. Exploitation of this vulnerability can allow attackers to inject malicious JavaScript code into WordPress pages, potentially compromising user accounts and website integrity. Technical Details CVE-2025-11868 resides in the way the Everviz plugin handles user-supplied input within the everviz shortcode. Specifically, the plugin fails to properly sanitize or escape the type and hash attributes when constructing a <div id=...> element. This lack of input validation allows an attacker to inject arbitrary HTML attributes and JavaScript code directly into the page’s HTML source.…

Overview A critical security vulnerability, identified as CVE-2025-11620, has been discovered in the Multiple Roles per User plugin for WordPress. This vulnerability allows authenticated attackers with the ‘edit_users’ capability to modify user roles, potentially leading to privilege escalation, including promoting users to Administrator roles and demoting existing Administrators. All versions up to and including version 1.0 are affected. Immediate action is recommended to mitigate this risk. Technical Details The vulnerability resides in the lack of a proper capability check on the mrpu_add_multiple_roles_ui and mrpu_save_multiple_user_roles functions within the plugin. Specifically, these functions, responsible for displaying the user role editing interface and…

Overview A critical vulnerability, identified as CVE-2025-8727, has been discovered in the Baseboard Management Controller (BMC) web interface of Supermicro MBD-X13SEDW-F motherboards. This vulnerability allows a remote attacker, after successfully authenticating to the BMC web server, to trigger a stack buffer overflow by sending a specially crafted payload. This could lead to remote code execution or denial of service. Technical Details The vulnerability exists within the BMC’s web function responsible for processing specific HTTP requests. An attacker can exploit this by sending a crafted request to a vulnerable endpoint. The payload is designed to overwrite data on the stack, potentially…

Overview A stack buffer overflow vulnerability, identified as CVE-2025-8404, has been discovered in the shared libraries of Supermicro Baseboard Management Controllers (BMCs). This vulnerability could allow an authenticated attacker with access to the BMC to achieve arbitrary code execution on the BMC’s firmware operating system by exploiting a crafted header. Successful exploitation allows for significant compromise of the affected system. Technical Details CVE-2025-8404 is a stack buffer overflow vulnerability present within a Supermicro BMC shared library. The vulnerability occurs because the BMC software fails to properly validate the size of data received in a specific header during communication. An authenticated…