Overview CVE-2025-12634 is a medium severity vulnerability affecting the Refund Request for WooCommerce plugin for WordPress, versions up to and including 1.0. This vulnerability allows authenticated attackers with Subscriber-level access or higher to modify refund statuses without proper authorization. Specifically, they can approve or reject refund requests, potentially leading to financial discrepancies and abuse. Technical Details The vulnerability stems from a missing capability check within the update_refund_status function of the plugin. Normally, only users with specific capabilities (e.g., shop manager, administrator) should be able to modify refund statuses. However, due to the missing check, any authenticated user, even a Subscriber,…
-
-
Overview CVE-2025-12587 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Peer Publish plugin for WordPress. This vulnerability affects all versions up to and including 1.0. The vulnerability stems from a lack of nonce validation on key website management pages within the plugin’s admin interface. Technical Details The Peer Publish plugin fails to properly validate nonces on its website management pages. Specifically, the newwebsite.php and websites.php files located in the /admin/admin-pages/ directory of the plugin lack sufficient CSRF protection. This allows an attacker to forge requests that can add, modify, or delete website configurations within the Peer Publish plugin. An…
-
Overview CVE-2025-12586 is a Cross-Site Request Forgery (CSRF) vulnerability found in the Conditional Maintenance Mode for WordPress plugin. Affecting all versions up to and including 1.0.0, this flaw allows unauthenticated attackers to potentially enable or disable the maintenance mode of a WordPress website. The vulnerability stems from a lack of nonce validation during the process of toggling the maintenance mode status. Technical Details The vulnerability exists because the plugin does not properly validate the origin of requests to toggle the maintenance mode. Specifically, the code responsible for enabling or disabling maintenance mode (as observed in the plugin’s code) lacks a…
-
Overview CVE-2025-12525 is a medium severity vulnerability affecting the Locker Content WordPress plugin, version 1.0.0. This vulnerability allows unauthenticated attackers to bypass the plugin’s content locking mechanism and access content that should be restricted. The vulnerability resides in the handling of the lockerco_submit_post AJAX endpoint. Technical Details The vulnerability stems from a lack of proper access control checks on the lockerco_submit_post AJAX endpoint. This endpoint is intended to be used to handle submissions related to locked content. However, because it doesn’t adequately verify user authentication or authorization, an attacker can send crafted requests to this endpoint and retrieve the protected…
-
Overview A medium severity vulnerability, identified as CVE-2025-12043, has been discovered in the Autochat Automatic Conversation plugin for WordPress. This vulnerability allows unauthenticated attackers to connect and disconnect the client ID, leading to unauthorized modification of data. Technical Details The vulnerability resides in the ‘wp_ajax_nopriv_auycht_saveCid’ AJAX endpoint. Versions up to and including 1.1.9 of the Autochat plugin lack proper capability checks on this endpoint. This means that an attacker who isn’t logged in (i.e. ‘nopriv’) can call the endpoint directly via an AJAX request and manipulate the client ID associated with the plugin. Because there is no check to confirm…
-
Overview CVE-2025-12040 is a medium severity vulnerability affecting the Wishlist for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to modify other users’ wishlists. It stems from an Insecure Direct Object Reference (IDOR) issue present in versions up to and including 1.0.9. Technical Details The vulnerability resides within the class-th-wishlist-frontend.php file of the plugin. Several functions within this file lack proper validation on a user-controlled key used to identify the wishlist being manipulated. Specifically, the code fails to verify if the currently logged-in user (or lack thereof in the case of unauthenticated requests) has the right to modify the…
-
Overview A Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12032, has been discovered in the Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile plugin for WordPress. This plugin allows users to add social media and contact buttons to their mobile websites. The vulnerability affects all versions of the plugin up to and including 1.0.0. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of the following parameters: vithanhlam_zsocial_save_messager, vithanhlam_zsocial_save_zalo, vithanhlam_zsocial_save_hotline, and vithanhlam_zsocial_save_contact. Authenticated attackers with administrator-level access can inject arbitrary web scripts into pages via these parameters. When a user accesses a page containing the injected…
-
Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the YouTube Subscribe WordPress plugin, tracked as CVE-2025-12025. This vulnerability affects versions up to and including 3.0.0. Attackers with administrator-level permissions can inject malicious JavaScript code into the plugin’s settings, which will then execute in the browsers of other users accessing the affected pages. This can lead to account compromise, data theft, or other malicious activities. The vulnerability is only exploitable on multi-site installations or when the unfiltered_html capability has been disabled. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the plugin’s admin settings.…
-
Overview A path traversal vulnerability, identified as CVE-2025-12003, has been discovered in the WebDAV implementation of certain ASUS router firmware. This vulnerability could potentially allow unauthenticated remote attackers to compromise the integrity of affected devices. This advisory provides details on the vulnerability and recommends mitigation steps. Technical Details CVE-2025-12003 stems from insufficient input validation when handling file paths through the WebDAV interface. By crafting specific HTTP requests, an attacker might be able to traverse directories and access or modify files outside the intended WebDAV root directory. This could lead to unauthorized access to sensitive system files or the modification of…
-
Overview CVE-2025-13644 is a medium severity vulnerability affecting MongoDB Server. This flaw can cause an invariant failure during batched delete operations, potentially leading to unexpected behavior and data inconsistencies. The vulnerability stems from an incorrect assumption about the number of documents in a batch based on document size exceeding the `BSONObjMaxSize` setting. Technical Details The issue arises during batched delete operations within MongoDB Server. The server, when handling documents for deletion, incorrectly infers the presence of multiple documents in a batch solely based on the document size surpassing the configured `BSONObjMaxSize`. This flawed logic can trigger an invariant failure, interrupting…