Overview This article provides an in-depth analysis of CVE-2025-66115, a critical Local File Inclusion (LFI) vulnerability identified in the Easy Invoice WordPress plugin. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating the filename used in PHP’s include/require statements. The affected versions of Easy Invoice are versions 2.1.4 and earlier. Technical Details CVE-2025-66115 stems from an “Improper Control of Filename for Include/Require Statement” vulnerability. This means the Easy Invoice plugin doesn’t adequately sanitize or validate user-supplied input that is then used as part of a file path in a PHP `include`, `require`, `include_once`, or `require_once`…

Overview CVE-2025-66114 identifies a critical security vulnerability affecting the “Show Variations as Single Products Woocommerce” plugin, also known as woo-show-single-variations-shop-category, for WordPress WooCommerce. This vulnerability, classified as a Missing Authorization issue, allows for the potential exploitation of incorrectly configured access control security levels. Specifically, versions up to and including 2.0 are affected. Technical Details The vulnerability stems from a lack of proper authorization checks within the plugin’s code. This allows unauthorized users to potentially access or manipulate product variations that should be restricted to specific user roles or administrative access. While the specific exploitation vector requires further investigation of the…

Published: 2025-11-21 Overview This article details a critical security vulnerability, identified as CVE-2025-66113, affecting the Better Chat Support for Messenger WordPress plugin. This vulnerability is a Missing Authorization issue that allows for Exploiting Incorrectly Configured Access Control Security Levels. Successful exploitation could lead to unauthorized access and modification of sensitive plugin data or functionality. The affected versions of the Better Chat Support for Messenger plugin are from n/a through version 1.2.18. Technical Details CVE-2025-66113 stems from a Missing Authorization vulnerability within the Better Chat Support for Messenger plugin. The plugin fails to properly validate user permissions before granting access to…

Overview This article provides an in-depth analysis of CVE-2025-66112, a critical security vulnerability identified in the WebToffee Accessibility Toolkit (also known as Accessibility Toolkit by WebYes accessibility-plus) WordPress plugin. This vulnerability exposes WordPress sites using the plugin to potential unauthorized access and manipulation due to a missing authorization check. The affected versions of the plugin are from n/a through and including version 2.0.4. Website administrators using these versions are strongly advised to update to a patched version as soon as possible. Technical Details CVE-2025-66112 is classified as a Missing Authorization vulnerability, categorized under “Exploiting Incorrectly Configured Access Control Security Levels.”…

Overview A Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-66111, has been discovered in the Nelio Popups WordPress plugin. This vulnerability affects versions 1.3.0 and below. A successful exploit could allow attackers to inject malicious scripts into the plugin’s settings, which are then executed in the browsers of other users who access the affected WordPress dashboard. This can lead to various malicious activities, including account compromise and malware distribution. Technical Details The vulnerability resides in the improper neutralization of user-supplied input during web page generation within the Nelio Popups plugin. Specifically, the plugin fails to adequately sanitize input fields used…

Overview CVE-2025-66110 describes a missing authorization vulnerability discovered in the bPlugins Tiktok Feed plugin for WordPress. This vulnerability, affecting versions up to and including 1.0.22, allows attackers to potentially exploit incorrectly configured access control security levels. This could lead to unauthorized access and modification of plugin settings or data. Technical Details The vulnerability stems from a lack of proper authorization checks within the plugin’s code. Specifically, certain functions or endpoints responsible for managing the TikTok feed configuration do not adequately verify the user’s permissions before executing privileged operations. This allows an attacker, possibly with lower-level privileges or even without authentication,…

Overview CVE-2025-66109 describes a Missing Authorization vulnerability found in the Cart Weight for WooCommerce plugin, specifically affecting versions up to and including 1.9.11. This vulnerability allows attackers to potentially exploit incorrectly configured access control security levels, potentially leading to unauthorized actions or data access within the WooCommerce environment. Technical Details The vulnerability stems from a lack of proper authorization checks within the Cart Weight for WooCommerce plugin. Specifically, the plugin fails to adequately verify user permissions before allowing certain actions related to cart weight management. This allows an attacker, possibly with minimal privileges, to bypass intended security measures and perform…

Overview A significant security vulnerability, identified as CVE-2025-66108, has been discovered in the TNC Toolbox: Web Performance WordPress plugin developed by Merlot Digital (by TNC). This “Missing Authorization” vulnerability allows for potential exploitation of incorrectly configured access control security levels. The affected versions of the plugin are from n/a through version 2.0.4. Technical Details The vulnerability stems from a lack of proper authorization checks within the TNC Toolbox: Web Performance plugin. This means that certain functionalities or data, which should be restricted to specific user roles or permissions, are accessible without proper authentication or authorization. An attacker could potentially leverage…

Overview A significant security vulnerability, identified as CVE-2025-66107, has been discovered in the Subscriptions & Memberships for PayPal WordPress plugin, affecting versions up to and including 1.1.7. This vulnerability stems from a “Missing Authorization” issue, leading to “Exploiting Incorrectly Configured Access Control Security Levels”. Essentially, it allows unauthorized users to potentially access or modify sensitive data or functionalities, compromising the security of websites using the affected plugin. Technical Details The core of this vulnerability lies in the inadequate implementation of access control mechanisms within the plugin. The plugin fails to properly verify the authorization of users attempting to perform certain…

Overview CVE-2025-66106 identifies a missing authorization vulnerability within the WordPress Featured Post Creative plugin. This flaw, categorized as “Exploiting Incorrectly Configured Access Control Security Levels,” allows attackers to potentially bypass intended access restrictions and perform unauthorized actions. The affected plugin versions range from n/a up to and including version 1.5.5. Technical Details The vulnerability stems from a lack of proper authorization checks within the Featured Post Creative plugin. Specifically, certain functionalities or endpoints within the plugin do not adequately verify the user’s permissions before allowing access. This means an attacker, potentially with low-level privileges or even unauthenticated, could manipulate requests…