Gowri Shankar

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Urgent: Critical Vulnerability Exposes WordPress Sites Using Starter Templates Plugin (CVE-2025-13065)

by

Overview A critical vulnerability, identified as CVE-2025-13065, has been discovered in the Starter Templates plugin for WordPress. This vulnerability affects all versions up to and including 4.4.41. It allows authenticated attackers with author-level access or higher to upload arbitrary files to the affected server, potentially leading to remote code execution. Technical Details The vulnerability stems … Read more

Urgent: Critical Vulnerability Exploitable in All-in-One Video Gallery Plugin!

by

Overview A high-severity vulnerability, identified as CVE-2025-12966, has been discovered in the All-in-One Video Gallery plugin for WordPress. This vulnerability allows authenticated attackers with Author-level access or higher to upload arbitrary files to the affected WordPress server. Successful exploitation of this vulnerability can lead to remote code execution, potentially compromising the entire website. This article … Read more

Urgent: Unauthenticated XSS Threat in Rich Shortcodes for Google Reviews Plugin (CVE-2025-12499)

by

Overview A critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12499, has been discovered in the Rich Shortcodes for Google Reviews plugin for WordPress. This vulnerability affects all versions up to and including 6.8. It allows unauthenticated attackers to inject malicious JavaScript code into pages through manipulated Google review content, potentially compromising user accounts and … Read more

Fluent Forms Under Fire: CVE-2025-13748 Exposes Submission Data to Unauthenticated Attackers

by

Overview CVE-2025-13748 identifies a security vulnerability within the Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress. Specifically, it’s an Insecure Direct Object Reference (IDOR) flaw that allows unauthenticated attackers to potentially mark arbitrary form submissions as failed. This affects versions up to and including 6.1.7 of the Fluent … Read more

Urgent Security Alert: Critical Arbitrary Folder Deletion Vulnerability in 10Web Booster Plugin (CVE-2025-13377)

by

Published: 2025-12-06 Overview A critical vulnerability, identified as CVE-2025-13377, has been discovered in the 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access (or higher) to delete arbitrary folders on the server. This can lead to significant data loss and a denial-of-service … Read more

CVE-2025-14117: Critical CSRF Vulnerability Discovered in fit2cloud Halo 2.21.10

by

Overview A Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-14117, has been discovered in fit2cloud Halo version 2.21.10. This vulnerability allows an attacker to potentially execute unauthorized actions on behalf of an authenticated user. The vendor was notified but did not respond. Technical Details The vulnerability resides in an unspecified function within fit2cloud Halo 2.21.10. … Read more

CSS3 Buttons Plugin XSS Vulnerability: Are You at Risk? (CVE-2025-13907)

by

Overview CVE-2025-13907 is a Stored Cross-Site Scripting (XSS) vulnerability found in the CSS3 Buttons plugin for WordPress. This vulnerability affects all versions up to and including 0.1. It allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into WordPress pages. These scripts will execute whenever a user accesses the compromised page, … Read more

CVE-2025-13899: TR Timthumb Plugin XSS Vulnerability – Secure Your WordPress Site Now!

by

Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the TR Timthumb WordPress plugin. Designated as CVE-2025-13899, this flaw affects all versions up to and including 1.0.4. The vulnerability stems from inadequate sanitization of user-supplied input within shortcode attributes. This allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code … Read more

Ultra Skype Button Plugin Vulnerable to Stored XSS: CVE-2025-13898

by

Overview CVE-2025-13898 describes a stored cross-site scripting (XSS) vulnerability present in the Ultra Skype Button plugin for WordPress. This vulnerability affects all versions up to and including 1.0. An authenticated attacker with Contributor-level access or higher can inject malicious JavaScript code into WordPress pages. This injected code will then execute whenever a user visits the … Read more

Social Feed Gallery Portfolio Plugin: Critical Stored XSS Vulnerability (CVE-2025-13896)

by

Overview A stored Cross-Site Scripting (XSS) vulnerability has been discovered in the Social Feed Gallery Portfolio plugin for WordPress. This vulnerability, identified as CVE-2025-13896, affects all versions up to and including 1.3. It allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into WordPress pages. These scripts execute whenever a user … Read more