Gowri Shankar

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

CVE-2025-13308: Urgent Security Update for Application Passwords WordPress Plugin – XSS Vulnerability

by

Overview A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in the Application Passwords plugin for WordPress. This vulnerability, identified as CVE-2025-13308, affects all versions up to and including 0.1.3. Unauthenticated attackers can exploit this vulnerability by injecting arbitrary web scripts into the ‘reject_url’ parameter, which will execute when a user interacts with a specific … Read more

Urgent Alert: Reflected XSS Vulnerability Found in Woomotiv WordPress Plugin (CVE-2025-13137)

by

Overview A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress. This vulnerability, tracked as CVE-2025-13137, affects all versions up to and including 3.6.3. The flaw stems from insufficient input sanitization and output escaping of the ‘woomotiv_limit’ parameter. This allows unauthenticated attackers to inject … Read more

CVE-2025-12721: Critical Information Leak Exposes g-FFL Cockpit WordPress Plugin

by

Overview CVE-2025-12721 is a medium-severity vulnerability affecting the g-FFL Cockpit WordPress plugin, versions up to and including 1.7.1. This vulnerability allows unauthenticated attackers to access sensitive server information via the /server_status REST API endpoint due to missing capability checks. This means anyone can potentially retrieve configuration details and other sensitive data about the server hosting … Read more

Urgent: Unauthenticated Product Deletion Vulnerability Found in g-FFL Cockpit WordPress Plugin (CVE-2025-12720)

by

Overview A critical vulnerability, identified as CVE-2025-12720, has been discovered in the g-FFL Cockpit plugin for WordPress. This medium severity flaw allows unauthenticated attackers to delete arbitrary products from a WordPress site. The vulnerability stems from insecure IP-based authorization within the handle_enqueue_only() function. All versions up to, and including, 1.7.1 of the plugin are affected. … Read more

Urgent Security Advisory: Stored XSS Vulnerability in List Attachments Shortcode Plugin (CVE-2025-12717)

by

Overview A stored Cross-Site Scripting (XSS) vulnerability has been identified in the List Attachments Shortcode plugin for WordPress. This vulnerability, tracked as CVE-2025-12717, allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into WordPress pages. These scripts will execute whenever a user accesses the compromised page. All versions up to and … Read more

CVE-2025-12715: Critical Stored XSS Found in Canadian Nutrition Facts Label Plugin

by

Overview CVE-2025-12715 details a Stored Cross-Site Scripting (XSS) vulnerability affecting the Canadian Nutrition Facts Label plugin for WordPress. This vulnerability exists in versions up to and including 3.0. Successful exploitation allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into the website’s database. This injected code executes when other users, including … Read more

Urgent: Critical File Upload Vulnerability in Flex QR Code Generator Plugin (CVE-2025-12673)

by

Overview A critical security vulnerability, identified as CVE-2025-12673, has been discovered in the Flex QR Code Generator plugin for WordPress. This vulnerability allows unauthenticated attackers to upload arbitrary files to the affected server, potentially leading to remote code execution. It affects all versions up to and including 1.2.6. Technical Details The vulnerability stems from a … Read more

CVE-2025-12577: Critical Vulnerability in Listar WordPress Plugin Allows Unauthorized Listing Modification

by

Overview A medium-severity vulnerability, identified as CVE-2025-12577, has been discovered in the Listar – Directory Listing & Classifieds WordPress Plugin. This flaw allows authenticated attackers with Subscriber-level access or higher to modify listing details without proper authorization. This can lead to data manipulation, potential defacement, and other malicious activities. Technical Details The vulnerability exists due … Read more

Listar Plugin Under Attack: CVE-2025-12574 Exposes WordPress Sites to Unauthorized Post Deletion!

by

Overview CVE-2025-12574 is a security vulnerability affecting the Listar – Directory Listing & Classifieds WordPress plugin. This vulnerability allows authenticated attackers with even Subscriber-level access to delete arbitrary posts due to a missing capability check on a specific REST API endpoint. All versions of the plugin up to and including 3.0.0 are affected. Technical Details … Read more

CVE-2025-12091: Subscriber-Level Attackers Can Deactivate WooCommerce Search Plugin

by

Overview CVE-2025-12091 is a medium-severity vulnerability affecting the “Search, Filters & Merchandising for WooCommerce” plugin for WordPress. This plugin, also known as “Instant Search for WooCommerce”, is vulnerable to unauthorized data modification due to a missing capability check on the wcis_save_email endpoint. This flaw allows authenticated attackers with Subscriber-level access or higher to deactivate the … Read more