Overview A high-severity vulnerability, identified as CVE-2025-13035, has been discovered in the Code Snippets plugin for WordPress. This vulnerability affects all versions up to and including 3.9.1. It allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary PHP code on the server. Exploitation requires that the “Enable file-based execution” setting is enabled by an administrator and at least one active Content snippet exists. This poses a significant risk to WordPress websites utilizing the affected plugin. Technical Details The vulnerability stems from the insecure use of the extract() function within the evaluate_shortcode_from_flat_file method of the Code Snippets…
-
-
Overview A high-severity Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12484, has been discovered in the Giveaways and Contests by RafflePress WordPress plugin. This plugin, designed to help users grow website traffic, email subscribers, and social followers, is affected in all versions up to and including 1.12.19. The vulnerability stems from insufficient input sanitization and output escaping of social media username parameters, allowing unauthenticated attackers to inject malicious JavaScript code into vulnerable pages. This code can then execute in the browsers of unsuspecting users who visit these pages. Technical Details The vulnerability is present due to the plugin failing to…
-
Overview CVE-2025-13085 is a medium-severity vulnerability affecting the SiteSEO – SEO Simplified plugin for WordPress, versions up to and including 1.3.2. This vulnerability allows authenticated attackers with the siteseo_manage capability (typically Author-level users granted SiteSEO access by an administrator) to read arbitrary post metadata from any post, page, attachment, or WooCommerce order, even if they lack editing permissions. This is due to a lack of object-level authorization in the resolve_variables() AJAX handler. In WooCommerce installations, this can lead to the exposure of highly sensitive customer billing information, including names, email addresses, phone numbers, physical addresses, and payment methods. Technical Details…
-
A critical security vulnerability has been identified in the SureForms plugin for WordPress, potentially exposing websites to Cross-Site Request Forgery (CSRF) attacks. This blog post details the vulnerability, its potential impact, and how to mitigate the risk. Overview CVE-2025-12535 affects all versions of the SureForms plugin up to and including version 1.13.1. The vulnerability stems from the plugin’s improper use of WordPress REST API nonces, allowing unauthenticated attackers to bypass CSRF protection mechanisms. This oversight can lead to unauthorized actions being triggered on vulnerable websites. Technical Details The SureForms plugin utilizes WordPress’s REST API for handling form submissions. While the…
-
Overview CVE-2025-12056 describes an out-of-bounds read vulnerability identified in Shelly Pro 3EM devices, specifically in versions prior to v1.4.4. This vulnerability could allow an attacker to potentially read sensitive information from the device’s memory due to insufficient bounds checking when handling specific data inputs. The discovery was reported and analyzed by Nozomi Networks. Technical Details The vulnerability, classified as an Out-of-Bounds Read, arises from a flaw in how the Shelly Pro 3EM firmware handles certain input data. Specifically, the device fails to properly validate the size or boundaries of data being accessed, leading to the possibility of reading memory locations…
-
Overview CVE-2025-11243 identifies a vulnerability affecting Shelly Pro 4PM devices prior to version 1.6. This vulnerability stems from a lack of proper limits or throttling mechanisms when allocating resources, allowing an attacker to potentially exhaust device resources via network requests. This can lead to denial-of-service (DoS) conditions, impacting the device’s functionality and availability. Technical Details The vulnerability resides in how the Shelly Pro 4PM handles network requests. Without proper resource management (limits and throttling), a malicious actor can flood the device with requests that consume excessive resources, such as memory or CPU. The specifics of the affected network protocols or…
-
Overview A high-severity vulnerability, identified as CVE-2025-13145, has been discovered in the WP Import – Ultimate CSV XML Importer for WordPress plugin. This vulnerability affects all versions up to and including 7.33.1. It is a PHP Object Injection vulnerability that could allow authenticated attackers with administrator-level access to inject malicious PHP objects, potentially leading to arbitrary code execution, data breaches, or file deletion. This blog post provides a detailed analysis of the vulnerability, its potential impact, and the steps you need to take to protect your WordPress website. Technical Details The vulnerability stems from the deserialization of untrusted data within…
-
Overview CVE-2025-13054 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress. This vulnerability affects all versions up to and including 3.14.8. An authenticated attacker with contributor-level access or higher can exploit this flaw to inject malicious JavaScript code into pages that utilize the vulnerable plugin’s shortcode. When other users access these compromised pages, the injected script will execute, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability stems from the insufficient input sanitization and output escaping…
-
Overview CVE-2025-12878 is a medium-severity security vulnerability affecting the FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress. Specifically, a Stored Cross-Site Scripting (XSS) vulnerability exists in versions up to and including 3.13.1.2. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into pages. When other users access these compromised pages, the injected script executes, potentially leading to account takeover, data theft, or other malicious activities. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the `wfop_phone` shortcode. The `default` attribute of this shortcode allows users to specify a…
-
Overview CVE-2025-12842 is a medium-severity vulnerability affecting the Booking Plugin for WordPress Appointments – Time Slot plugin, impacting versions up to and including 1.4.7. This vulnerability allows unauthenticated attackers to send arbitrary emails via the plugin’s AJAX functionality. Due to missing validation on the tslot_appt_email AJAX action, attackers can craft malicious requests to send appointment notification emails to any recipient with attacker-controlled content. This poses a significant risk of phishing campaigns and spam distribution. Technical Details The vulnerability stems from the lack of proper input validation and sanitization within the tslot_appt_email AJAX action. Specifically, the code responsible for processing email…