Overview A high-severity vulnerability, identified as CVE-2025-13069, has been discovered in the Enable SVG, WebP, and ICO Upload plugin for WordPress. This vulnerability allows authenticated attackers with author-level access or higher to upload arbitrary files to the affected server. This is possible due to insufficient file type validation, specifically regarding ICO files. All versions of the plugin up to and including 1.1.2 are affected. Successful exploitation of this vulnerability can lead to remote code execution (RCE), posing a significant risk to the security of your WordPress website. Technical Details The core issue lies in the plugin’s inadequate validation of ICO…
-
-
Overview A critical vulnerability, identified as CVE-2025-12955, has been discovered in the Live Sales Notifications for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to access sensitive customer information due to a missing authorization check in the `getOrders` function. All versions up to and including 2.3.39 are affected. If you use this plugin, it is critical that you update to the latest version as soon as possible. Technical Details The vulnerability lies in the `getOrders` function of the plugin, which is responsible for retrieving recent order data to display in the live sales notifications. The plugin lacks proper authorization…
-
Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress. Tracked as CVE-2025-12691, this flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses a page containing the injected content. This vulnerability affects all versions of the Photonic Gallery plugin up to and including version 3.21. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of the user-supplied caption attribute within the plugin’s lightbox functionality. Specifically, when users create or…
-
Overview CVE-2025-12639 identifies an authorization bypass vulnerability affecting the wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress. This flaw allows authenticated attackers with subscriber-level access or higher to access sensitive information that they should not have access to. This includes user emails, usernames, roles, capabilities, and WooCommerce data like products and payment methods. This vulnerability exists in versions up to and including 1.2.2 of the plugin. Technical Details The vulnerability stems from the plugin’s improper verification of user authorization when handling AJAX requests. Specifically, the AJAX endpoint does not adequately check if the requesting user…
-
Overview CVE-2025-12481 is a medium-severity vulnerability affecting the WP Duplicate Page plugin for WordPress, specifically versions up to and including 1.7. This vulnerability stems from a missing authorization check in the ‘saveSettings’ function. An attacker with Contributor-level access or higher can exploit this to modify plugin settings, potentially leading to privilege escalation and unauthorized access to sensitive information. Technical Details The vulnerability resides in the insufficient authorization checks within the saveSettings function of the WP Duplicate Page plugin. Specifically, the plugin does not adequately verify if a user has the necessary permissions before allowing them to modify the plugin’s settings…
-
Overview This article details CVE-2025-12457, a Stored Cross-Site Scripting (XSS) vulnerability identified in the “Enable SVG, WebP, and ICO Upload” plugin for WordPress. This vulnerability allows authenticated attackers with Author-level access or higher to inject malicious JavaScript code into SVG files. When a user views these infected SVG files, the injected script will execute, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability exists because the plugin fails to properly sanitize user-supplied input during SVG file uploads and doesn’t adequately escape output when rendering these files. Specifically, versions of the plugin up to and…
-
Overview CVE-2025-12392 is a medium-severity security vulnerability affecting the Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to modify user tracking preferences (opt-in/opt-out) due to a missing capability check in the ‘handle_optin_optout’ function. All versions up to, and including, 2.0.22 are affected. Technical Details The vulnerability resides within the handle_optin_optout function of the plugin. Specifically, the function lacks proper authorization checks to verify if the user initiating the request has the necessary capabilities to modify tracking settings. As a result, an unauthenticated attacker can craft a malicious request to either opt-in or opt-out a user…
-
Overview CVE-2025-12391 is a medium severity vulnerability affecting the Restrictions for BuddyPress plugin for WordPress. This flaw allows unauthenticated attackers to manipulate user tracking preferences, specifically opting users in or out of tracking, without proper authorization. The vulnerability stems from a missing capability check on the handle_optin_optout() function. This issue impacts all versions of the plugin up to and including version 1.5.2. Technical Details The vulnerability resides in the handle_optin_optout() function within the Restrictions for BuddyPress plugin. Due to the absence of a capability check, the function can be accessed and executed by unauthenticated users. Attackers can exploit this by…
-
Overview A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Meta Display Block plugin for WordPress. This vulnerability, tracked as CVE-2025-12088, affects all versions up to and including 1.0.0. It allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into pages, potentially compromising the security of your website and its users. This injected code will execute whenever a user views the affected page. Technical Details The Meta Display Block plugin suffers from insufficient input sanitization and output escaping when handling data related to the Meta Display Block. This allows an attacker to inject arbitrary…
-
Overview CVE-2025-12079 details a Reflected Cross-Site Scripting (XSS) vulnerability found in the WP Twitter Auto Publish plugin for WordPress. This vulnerability affects all versions of the plugin up to and including 1.7.3. Due to insufficient input sanitization and output escaping when handling PostMessage data, unauthenticated attackers can inject arbitrary web scripts into pages. Exploitation requires tricking a user into clicking a malicious link. Technical Details The vulnerability lies in how the WP Twitter Auto Publish plugin handles data received via the PostMessage API. The plugin fails to properly sanitize and escape this data before rendering it in the user’s browser.…