Overview CVE-2025-13860 describes a stored Cross-Site Scripting (XSS) vulnerability found in the Easy Jump Links Menus plugin for WordPress. This vulnerability affects all versions up to and including 1.0.0. The flaw stems from insufficient input sanitization and output escaping of the h_tags parameter. Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to inject malicious JavaScript code into pages. When a user visits a page containing the injected script, the script will execute in their browser, potentially allowing the attacker to steal sensitive information, redirect the user to a malicious website, or perform actions on behalf of the…

Overview A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the WP-SOS-Donate Donation Sidebar Plugin for WordPress, tracked as CVE-2025-13625. This vulnerability affects all versions up to and including 0.9.2. Due to insufficient input sanitization and output escaping of the $_SERVER['PHP_SELF'] parameter, unauthenticated attackers can inject arbitrary web scripts into pages. This script executes if a user is tricked into performing an action, such as clicking a malicious link. Technical Details The vulnerability resides within the wp-sos-donate_options.php file of the WP-SOS-Donate plugin. The $_SERVER['PHP_SELF'] variable, which contains the filename of the currently executing script, is not properly sanitized before…

Overview A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Twitscription plugin for WordPress. This vulnerability, tracked as CVE-2025-13623, affects all versions up to and including 0.1.1. Unauthenticated attackers can leverage this flaw to inject arbitrary web scripts into vulnerable pages. If a user clicks a malicious link, the injected script can execute, potentially compromising their session or performing actions on their behalf. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the admin.php file, specifically when handling the PATH_INFO variable. The Twitscription plugin fails to properly sanitize and encode user-supplied data passed through…

Overview CVE-2025-13622 identifies a Reflected Cross-Site Scripting (XSS) vulnerability present in the Jabbernotification plugin for WordPress. This vulnerability affects all versions up to and including 0.99-RC2. It stems from insufficient input sanitization and output escaping within the plugin’s admin.php file when processing the PATH_INFO variable. This allows attackers to inject malicious JavaScript code into web pages, which can execute if a user interacts with a crafted link. Unauthenticated attackers can exploit this by tricking users into clicking a malicious link. Technical Details The vulnerability resides in the way the Jabbernotification plugin handles the PATH_INFO variable within the admin.php file. Specifically,…

Overview A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Dream Gallery plugin for WordPress, tracked as CVE-2025-13621. This vulnerability affects all versions of the plugin up to and including version 1.0. Due to missing or inadequate nonce validation on the ‘dreampluginsmain’ AJAX action, unauthenticated attackers can potentially modify the plugin’s settings and inject malicious web scripts by crafting a forged request. The success of this attack relies on tricking a site administrator into unknowingly triggering the request, for instance, by clicking a malicious link. Technical Details The vulnerability stems from the lack of proper nonce validation within…

Overview A medium-severity security vulnerability, identified as CVE-2025-12368, has been discovered in the Sermon Manager plugin for WordPress. This vulnerability exposes websites using the plugin to Stored Cross-Site Scripting (XSS) attacks. All versions of the plugin up to and including 2.30.0 are affected. This article provides an overview of the vulnerability, technical details, potential impact, and steps to mitigate the risk. Technical Details The vulnerability lies within the sermon-views shortcode. Insufficient input sanitization and output escaping on user-supplied attributes within this shortcode allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages or posts. Specifically,…

Overview CVE-2025-12189 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the “Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents” WordPress plugin. This vulnerability exists in all versions up to, and including, 7.10.1321. Successful exploitation could allow unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE). Technical Details The vulnerability lies in the uploadImage() function within the Bread & Butter plugin. The function lacks proper nonce validation, making it susceptible to CSRF attacks. An attacker can craft a malicious request and trick a WordPress administrator into executing it…

Overview A high-severity vulnerability, tracked as CVE-2025-12181, has been identified in the ContentStudio plugin for WordPress. This vulnerability allows authenticated users with Author-level access and above to upload arbitrary files to the affected WordPress server. This is due to missing file type validation in the cstu_update_post() function. Successful exploitation of this vulnerability could lead to remote code execution (RCE), posing a significant risk to the affected website. Technical Details The vulnerability resides within the cstu_update_post() function in the ContentStudio plugin. Specifically, the plugin fails to properly validate the type of files being uploaded. An authenticated attacker with Author-level permissions or…

Overview A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Omnipress WordPress plugin. This vulnerability, tracked as CVE-2025-12163, affects versions up to and including 1.6.3. It allows authenticated attackers with Author-level permissions or higher to inject arbitrary web scripts into SVG files uploaded through the plugin. These scripts will then execute whenever a user accesses the affected SVG file. Technical Details The vulnerability stems from insufficient input sanitization and output escaping during the processing of SVG file uploads. Specifically, the Omnipress plugin fails to properly sanitize user-supplied data within SVG files before storing them on the server. This…

Overview A critical vulnerability, identified as CVE-2025-12154, has been discovered in the Auto Thumbnailer plugin for WordPress. This flaw allows authenticated attackers, with Contributor-level access or higher, to upload arbitrary files to the affected WordPress server. Due to the lack of proper file type validation, this can lead to remote code execution (RCE), potentially granting attackers full control of the compromised website. Technical Details The vulnerability resides in the uploadThumb() function within the Auto Thumbnailer plugin. The function lacks adequate validation of the file type being uploaded. An attacker can exploit this by uploading a malicious file (e.g., a PHP…