Overview This article details a medium-severity SQL Injection vulnerability identified as CVE-2025-13370, affecting the ProjectList WordPress plugin. All versions up to, and including, 0.3.0 are vulnerable. This flaw allows authenticated attackers with Editor-level access (or higher) to inject arbitrary SQL queries into existing queries, potentially leading to sensitive data extraction from the WordPress database. Technical Details CVE-2025-13370 is a time-based SQL Injection vulnerability found within the ‘id’ parameter of the ProjectList plugin. The vulnerability stems from inadequate input sanitization and insufficient preparation of the SQL query when processing the ‘id’ parameter. Specifically, the plugin fails to properly escape user-supplied data…
-
-
Stay informed about a significant security vulnerability, CVE-2025-13311, affecting the Just Highlight WordPress plugin. This article provides a comprehensive overview, technical analysis, and mitigation strategies to protect your WordPress site. Overview CVE-2025-13311 identifies a Stored Cross-Site Scripting (XSS) vulnerability within the Just Highlight plugin for WordPress. Versions up to and including 1.0.3 are susceptible. An authenticated attacker with administrator-level privileges or higher can inject malicious JavaScript code into the plugin’s settings, which will then be executed whenever another user (including administrators) accesses the plugin’s settings page. This can lead to account takeover, data theft, or other malicious activities. Technical Details…
-
Overview A critical security vulnerability, identified as CVE-2025-12645, has been discovered in the Inline Frame – Iframe plugin for WordPress. This flaw exposes websites to Stored Cross-Site Scripting (XSS) attacks. This article provides a detailed analysis of the vulnerability, its potential impact, and the necessary steps to mitigate the risk. Technical Details The vulnerability resides in the ’embedsite’ shortcode functionality of the Inline Frame – Iframe plugin, affecting all versions up to and including 0.1. The plugin fails to adequately sanitize user-supplied attributes within the shortcode. Specifically, when a user with contributor-level access or higher inserts the [embedsite] shortcode with…
-
Overview CVE-2025-12634 is a medium severity vulnerability affecting the Refund Request for WooCommerce plugin for WordPress, versions up to and including 1.0. This vulnerability allows authenticated attackers with Subscriber-level access or higher to modify refund statuses without proper authorization. Specifically, they can approve or reject refund requests, potentially leading to financial discrepancies and abuse. Technical Details The vulnerability stems from a missing capability check within the update_refund_status function of the plugin. Normally, only users with specific capabilities (e.g., shop manager, administrator) should be able to modify refund statuses. However, due to the missing check, any authenticated user, even a Subscriber,…
-
Overview CVE-2025-12587 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Peer Publish plugin for WordPress. This vulnerability affects all versions up to and including 1.0. The vulnerability stems from a lack of nonce validation on key website management pages within the plugin’s admin interface. Technical Details The Peer Publish plugin fails to properly validate nonces on its website management pages. Specifically, the newwebsite.php and websites.php files located in the /admin/admin-pages/ directory of the plugin lack sufficient CSRF protection. This allows an attacker to forge requests that can add, modify, or delete website configurations within the Peer Publish plugin. An…
-
Overview CVE-2025-12586 is a Cross-Site Request Forgery (CSRF) vulnerability found in the Conditional Maintenance Mode for WordPress plugin. Affecting all versions up to and including 1.0.0, this flaw allows unauthenticated attackers to potentially enable or disable the maintenance mode of a WordPress website. The vulnerability stems from a lack of nonce validation during the process of toggling the maintenance mode status. Technical Details The vulnerability exists because the plugin does not properly validate the origin of requests to toggle the maintenance mode. Specifically, the code responsible for enabling or disabling maintenance mode (as observed in the plugin’s code) lacks a…
-
Overview CVE-2025-12525 is a medium severity vulnerability affecting the Locker Content WordPress plugin, version 1.0.0. This vulnerability allows unauthenticated attackers to bypass the plugin’s content locking mechanism and access content that should be restricted. The vulnerability resides in the handling of the lockerco_submit_post AJAX endpoint. Technical Details The vulnerability stems from a lack of proper access control checks on the lockerco_submit_post AJAX endpoint. This endpoint is intended to be used to handle submissions related to locked content. However, because it doesn’t adequately verify user authentication or authorization, an attacker can send crafted requests to this endpoint and retrieve the protected…
-
Overview A medium severity vulnerability, identified as CVE-2025-12043, has been discovered in the Autochat Automatic Conversation plugin for WordPress. This vulnerability allows unauthenticated attackers to connect and disconnect the client ID, leading to unauthorized modification of data. Technical Details The vulnerability resides in the ‘wp_ajax_nopriv_auycht_saveCid’ AJAX endpoint. Versions up to and including 1.1.9 of the Autochat plugin lack proper capability checks on this endpoint. This means that an attacker who isn’t logged in (i.e. ‘nopriv’) can call the endpoint directly via an AJAX request and manipulate the client ID associated with the plugin. Because there is no check to confirm…
-
Overview CVE-2025-12040 is a medium severity vulnerability affecting the Wishlist for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to modify other users’ wishlists. It stems from an Insecure Direct Object Reference (IDOR) issue present in versions up to and including 1.0.9. Technical Details The vulnerability resides within the class-th-wishlist-frontend.php file of the plugin. Several functions within this file lack proper validation on a user-controlled key used to identify the wishlist being manipulated. Specifically, the code fails to verify if the currently logged-in user (or lack thereof in the case of unauthenticated requests) has the right to modify the…
-
Overview A Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12032, has been discovered in the Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile plugin for WordPress. This plugin allows users to add social media and contact buttons to their mobile websites. The vulnerability affects all versions of the plugin up to and including 1.0.0. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of the following parameters: vithanhlam_zsocial_save_messager, vithanhlam_zsocial_save_zalo, vithanhlam_zsocial_save_hotline, and vithanhlam_zsocial_save_contact. Authenticated attackers with administrator-level access can inject arbitrary web scripts into pages via these parameters. When a user accesses a page containing the injected…