Overview CVE-2025-13135 identifies a Stored Cross-Site Scripting (XSS) vulnerability affecting the HotelRunner Booking Widget plugin for WordPress. This vulnerability resides within the plugin’s ‘hotelrunner’ shortcode and impacts all versions up to and including 5.2.4. Due to insufficient input sanitization and output escaping, authenticated attackers with contributor-level access or higher can inject malicious web scripts into WordPress pages. When other users visit these compromised pages, the injected scripts execute, potentially leading to account compromise, data theft, or website defacement. Technical Details The vulnerability stems from the plugin’s failure to properly sanitize and escape user-supplied attributes within the ‘hotelrunner’ shortcode. Specifically, an…
-
-
Overview CVE-2025-13134 describes a Cross-Site Request Forgery (CSRF) vulnerability found in the AuthorSure plugin for WordPress. This vulnerability affects all versions of the plugin up to and including version 2.3. Due to missing or insufficient nonce validation, attackers can potentially trick administrators into performing unintended actions, such as updating plugin settings or injecting malicious scripts into the WordPress site. Technical Details The AuthorSure plugin versions 2.3 and below lack proper protection against CSRF attacks on the ‘authorsure’ page. Specifically, the plugin does not adequately validate nonces when processing requests to modify plugin settings. This allows an unauthenticated attacker to craft…
-
Overview CVE-2025-12894 is a medium-severity vulnerability affecting the “Import WP – Export and Import CSV and XML files to WordPress” plugin for WordPress. This vulnerability allows unauthenticated attackers to potentially access sensitive data due to insufficient access control on exported and imported files. This flaw exists in versions up to and including 2.14.17. Technical Details The Import WP plugin versions up to 2.14.17 are vulnerable to sensitive information exposure. The root cause of the vulnerability lies in the improper protection of the /exportwp and /importwp directories. These directories, which store exported and imported files respectively, lack proper .htaccess protection. As…
-
Overview CVE-2025-12881 identifies a medium severity Insecure Direct Object Reference (IDOR) vulnerability affecting the “Return Refund and Exchange For WooCommerce” plugin for WordPress. This vulnerability exists in versions up to and including 4.5.5. Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to read order messages belonging to other users. Technical Details The vulnerability lies within the wps_rma_fetch_order_msgs() function of the plugin. Due to a lack of proper validation on a user-controlled key (likely the order ID), an attacker can manipulate the request to access order messages associated with arbitrary order IDs. This effectively allows them to bypass…
-
Overview CVE-2025-12746 identifies a Reflected Cross-Site Scripting (XSS) vulnerability in the Tainacan plugin for WordPress. This vulnerability affects all versions up to and including 1.0.0. The plugin fails to properly sanitize user-supplied input in the search parameter, allowing an unauthenticated attacker to inject malicious JavaScript code into a vulnerable page. If a user clicks a specially crafted link containing the malicious code, the script will execute in their browser, potentially allowing the attacker to steal cookies, redirect the user to a phishing site, or deface the website. Technical Details The vulnerability stems from the insufficient input sanitization and output escaping…
-
Overview CVE-2025-12661 identifies a stored Cross-Site Scripting (XSS) vulnerability found in the Pollcaster Shortcode Plugin for WordPress. Versions up to and including 1.0 are affected. The vulnerability stems from insufficient sanitization and escaping of user-supplied input within the ‘pollcaster’ shortcode, specifically the ‘height’ parameter. This allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages. When a user visits a page containing the injected code, the script executes in their browser, potentially leading to account compromise or other malicious activities. Technical Details The vulnerability resides within the processing of the pollcaster shortcode. The ‘height’…
-
Overview CVE-2025-12660 is a security vulnerability affecting the Padlet Shortcode plugin for WordPress. Specifically, it’s a Stored Cross-Site Scripting (XSS) vulnerability found in versions up to and including 1.3. This flaw allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into pages. When other users, including administrators, visit these compromised pages, the injected scripts execute, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of the ‘key’ parameter within the wallwisher shortcode. The plugin fails to properly validate and encode user-supplied attributes…
-
Overview CVE-2025-12170 is a medium severity vulnerability discovered in the Checkbox plugin for WordPress. This vulnerability allows unauthenticated attackers to clear log files due to a missing capability check on the wp_ajax_nopriv_checkbox_clean_log AJAX endpoint. This affects all versions of the plugin up to and including 2.8.10. Technical Details The vulnerability exists because the wp_ajax_nopriv_checkbox_clean_log AJAX endpoint lacks proper authentication and authorization checks. Specifically, it does not verify if the user making the request has the necessary capabilities to clear the plugin’s log files. This allows anyone, even unauthenticated users, to trigger this function by sending a crafted AJAX request. The…
-
Overview A high-severity vulnerability, identified as CVE-2025-12138, has been discovered in the URL Image Importer plugin for WordPress. This vulnerability allows authenticated attackers with Author-level access or higher to upload arbitrary files to the affected server, potentially leading to remote code execution (RCE). This article provides a detailed analysis of the vulnerability, its potential impact, and recommended mitigation steps. Technical Details The vulnerability stems from insufficient file type validation within the uimptr_import_image_from_url() function of the URL Image Importer plugin. Specifically, versions up to and including 1.0.6 rely on the user-controlled Content-Type HTTP header to determine the file type during the…
-
Overview A high-severity stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12135, has been discovered in the WPBookit plugin for WordPress. This vulnerability affects all versions up to and including 1.0.6. It allows unauthenticated attackers to inject malicious JavaScript code into pages that will be executed when other users access those pages, potentially leading to account compromise, data theft, or website defacement. This issue stems from a missing capability check within the `save_custome_code()` function. Technical Details The vulnerability resides in the way the WPBookit plugin handles custom CSS code input. The `save_custome_code()` function, responsible for saving the CSS code provided by…