Overview A security vulnerability, identified as CVE-2025-12086, has been discovered in the Return Refund and Exchange For WooCommerce plugin for WordPress. This plugin, used by many WooCommerce store owners to manage returns, refunds, and exchanges, contains an Insecure Direct Object Reference (IDOR) flaw that could allow attackers to delete other users’ refund requests. The affected plugin version is up to and including 4.5.5. This vulnerability poses a significant risk to the integrity of your store’s data and could lead to unauthorized modification of customer refund requests. Technical Details The vulnerability exists within the wps_rma_cancel_return_request AJAX endpoint. Due to a lack…
-
-
Overview A high-severity vulnerability, identified as CVE-2025-11985, has been discovered in the Realty Portal plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access (or higher) to escalate their privileges to administrator. Versions 0.1 through 0.4.1 are affected. Immediate action is recommended to mitigate this risk. Technical Details The vulnerability stems from a missing capability check on the rp_save_property_settings function. Specifically, the plugin fails to properly validate whether the current user has the necessary permissions before allowing them to modify site options. This function is used to handle AJAX requests related to saving property settings. The lack of proper…
-
Overview CVE-2025-11885 identifies a reflected Cross-Site Scripting (XSS) vulnerability within the EchBay Admin Security plugin for WordPress. This vulnerability affects all versions up to and including 1.3.0. Due to insufficient input sanitization and output escaping of the ‘_ebnonce’ parameter, an unauthenticated attacker can inject arbitrary web scripts. Successful exploitation relies on tricking a user into clicking a malicious link. Technical Details The vulnerability resides in how the EchBay Admin Security plugin handles the ‘_ebnonce’ parameter. The plugin fails to properly sanitize and escape user-supplied input passed through this parameter before rendering it in the browser. An attacker can craft a…
-
Overview CVE-2025-11815 is a medium severity vulnerability affecting the UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress. Versions up to, and including, 3.5.08 are susceptible to unauthorized modification of data due to a missing capability check on the uip_save_site_option() function. This allows authenticated attackers with Subscriber-level access or higher to change arbitrary plugin settings. Technical Details The vulnerability stems from the lack of proper capability checks within the uip_save_site_option() function located in the admin/core/ajax-functions.php file. This function is responsible for saving site options based on user input. The absence of these checks means that even…
-
Overview A critical security vulnerability, identified as CVE-2025-11802, has been discovered in the Bulma Shortcodes plugin for WordPress. This flaw exposes websites using the plugin to Stored Cross-Site Scripting (XSS) attacks. All versions of the plugin up to and including version 1.0 are affected. The vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into website pages. This code will then execute whenever a user visits the compromised page, potentially leading to account takeover, data theft, or other malicious activities. Technical Details The vulnerability lies within the bulma-notification shortcode, specifically in the handling of the…
-
Overview CVE-2025-11801 is a security vulnerability affecting the AudioTube WordPress plugin, specifically versions up to and including 0.0.3. This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages via the ‘caption’ attribute of the ‘audiotube’ shortcode. This is a Stored Cross-Site Scripting (XSS) vulnerability. Technical Details The vulnerability exists due to insufficient input sanitization and output escaping of the ‘caption’ attribute within the audiotube shortcode. This means that when a user with appropriate permissions (Contributor or higher) adds the audiotube shortcode to a post or page and includes malicious JavaScript within the…
-
Overview This article details a Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-11800, affecting the Surbma | MiniCRM Shortcode plugin for WordPress. Versions up to and including 2.0 are vulnerable. This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into pages and posts. This code executes whenever a user views the affected page, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability resides in the way the plugin handles the id attribute of the [minicrm] shortcode. The plugin fails to properly sanitize user-supplied input for this attribute and…
-
Overview A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Affiliate AI Lite plugin for WordPress. This vulnerability, tracked as CVE-2025-11799, affects all versions up to and including 1.0.1. Successful exploitation of this vulnerability could allow attackers to inject malicious JavaScript code into your WordPress site, potentially compromising user accounts and sensitive data. Technical Details The vulnerability exists within the affiai_img shortcode, specifically through the asin attribute. Due to insufficient input sanitization and output escaping of the asin attribute, authenticated users with contributor-level access or higher can inject arbitrary web scripts. When a user accesses a page containing…
-
Overview CVE-2025-11773 is a security vulnerability discovered in the Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress. This flaw allows authenticated attackers with Subscriber-level access (or higher) to modify crucial data, specifically the smart contract addresses displayed by the plugin. This is achieved by exploiting a missing capability check on the saveDeployedContract function. All versions of the plugin up to and including 2.4.6 are affected. Technical Details The vulnerability resides within the saveDeployedContract function of the TokenICO plugin’s REST API. The lack of proper capability checks allows any authenticated user, even those with the lowest…
-
Overview CVE-2025-11771 is a medium severity vulnerability affecting the Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress. This flaw allows unauthenticated attackers to manipulate presale counters due to missing authentication and capability checks on the createSaleRecord function. All versions up to and including 2.4.6 are affected. Technical Details The vulnerability resides within the createSaleRecord function in the RestAPI.php file of the TokenICO plugin. Specifically, the code lacks proper authentication and authorization checks, allowing anyone to send arbitrary requests to this function without needing to be logged in or have the necessary permissions. Affected File: app/RestAPI.php…