Gowri Shankar

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Critical Alert: Reflected XSS Found in CSV Sumotto WordPress Plugin (CVE-2025-13894)

by

Overview CVE-2025-13894 describes a Reflected Cross-Site Scripting (XSS) vulnerability identified in the CSV Sumotto plugin for WordPress. This vulnerability affects all versions of the plugin up to and including version 1.0. The flaw stems from insufficient sanitization of user-supplied input used within the $_SERVER[‘PHP_SELF’] variable, leading to potential script injection on affected pages. Unauthenticated attackers … Read more

RevInsite Plugin Under Attack: Stored XSS Vulnerability Uncovered (CVE-2025-13863)

by

Overview CVE-2025-13863 identifies a Stored Cross-Site Scripting (XSS) vulnerability present in the RevInsite plugin for WordPress. This vulnerability affects all versions up to, and including, 1.1.0. It allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into pages via the vulnerable `token` parameter. When a user visits a page containing the … Read more

CVE-2025-13857: Critical XSS Flaw Exposes WordPress Sites Using Yet Another WebClap

by

Overview CVE-2025-13857 identifies a Stored Cross-Site Scripting (XSS) vulnerability affecting the “Yet Another WebClap for WordPress” plugin. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into WordPress pages or posts. This code will then execute whenever a user views the affected page, potentially leading to account compromise, data … Read more

Urgent Security Alert: Stored XSS Vulnerability in Extra Post Images WordPress Plugin (CVE-2025-13856)

by

Overview A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the Extra Post Images plugin for WordPress. This vulnerability, identified as CVE-2025-13856, affects all versions up to and including 1.0. Exploitation of this vulnerability can allow attackers with Contributor-level access or higher to inject malicious JavaScript code into pages. This code will then execute … Read more

Helloprint WordPress Plugin Vulnerability: Unauthenticated Order Status Modification (CVE-2025-13666)

by

Overview This blog post details a critical security vulnerability, identified as CVE-2025-13666, affecting the Helloprint plugin for WordPress. This vulnerability allows unauthenticated attackers to modify WooCommerce order statuses, potentially leading to significant business disruption and financial loss. Technical Details CVE-2025-13666 is a Missing Authorization vulnerability present in versions of the Helloprint plugin up to and … Read more

Urgent: Stored XSS Vulnerability Discovered in Cute News Ticker WordPress Plugin (CVE-2025-13656)

by

Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Cute News Ticker plugin for WordPress. This vulnerability, tracked as CVE-2025-13656, affects all versions up to, and including, 1.0. The flaw allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into WordPress pages and posts. This injected code can … Read more

Urgent: CSRF Vulnerability Found in WP Landing Page Plugin (CVE-2025-13629) – Update Immediately!

by

Overview A medium-severity security vulnerability, identified as CVE-2025-13629, has been discovered in the WP Landing Page plugin for WordPress. This vulnerability affects all versions up to, and including, 0.9.3. It stems from a Cross-Site Request Forgery (CSRF) flaw within the plugin’s code, specifically related to the lack of nonce validation in the wplp_api_update_text function. This … Read more

CVE-2025-13626: Unauthenticated Reflected XSS Vulnerability in myLCO WordPress Plugin

by

Overview CVE-2025-13626 describes a reflected Cross-Site Scripting (XSS) vulnerability found in the myLCO WordPress plugin. This vulnerability affects all versions up to and including 0.8.1. It stems from insufficient input sanitization and output escaping of the $_SERVER[‘PHP_SELF’] parameter. This allows unauthenticated attackers to inject arbitrary web scripts into vulnerable pages. Technical Details The vulnerability exists … Read more

CVE-2025-13358: Critical Vulnerability in Accessiy WordPress Plugin Enables Unauthorized Page Creation

by

Overview CVE-2025-13358 is a medium-severity security vulnerability affecting the Accessiy By CodeConfig Accessibility plugin for WordPress, versions up to and including 1.0.0. This vulnerability allows authenticated attackers with Subscriber-level access or higher to create arbitrary published pages on the WordPress site without proper authorization. This can lead to defacement, spam injection, or other malicious activities. … Read more

CVE-2025-13309: Accessiy WordPress Plugin Exposes Global Settings to Subscriber-Level Users

by

Overview CVE-2025-13309 details an authorization bypass vulnerability found in the “Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters” WordPress plugin. Affecting versions up to and including 1.0.0, this vulnerability allows authenticated attackers with subscriber-level access (or higher) to modify the plugin’s global accessibility settings. This is due to insufficient authorization checks … Read more