Plugin Security Certification (PSC) by CleanTalk

CVE-2025-14371 affects TaxoPress and it breaks a core WordPress safety boundary where a user may have access to an editor feature but should not be able to change content they cannot edit. The vulnerability allows any authenticated user who is permitted to use the TaxoPress AI metabox, typically Contributor or Author and above, to add or remove tags on posts they do not own by supplying a victim post ID. This becomes a direct content integrity issue because tags and other taxonomy terms drive search relevance, internal navigation, feeds, and SEO surfaces, meaning a low privilege account can silently reshape how content is discovered even when the same user cannot open the post editor for the target post. Install base is significant at 50k plus, so multi author environments where Contributors exist are realistic targets rather than edge cases.

CVE-2025-14163 is a Cross Site Request Forgery weakness in Premium Addons for Elementor that turns a normal authenticated workflow into a silent action a victim performs on an attacker’s behalf. The core problem is simple but dangerous in real operations a logged in user can be tricked into creating a new Elementor template without clicking anything and without seeing a warning, because the plugin’s AJAX action accepts a state changing request that lacks any CSRF protection. Even though the action requires a user who has edit_posts, that still covers a wide range of common roles on real sites such as Author and Editor, which means this is not limited to administrators and can be triggered against typical editorial staff who routinely browse the web while logged in.

CVE-2025-14155 is an unauthenticated information disclosure vulnerability in Premium Addons for Elementor – Powerful Elementor Templates & Widgets, where an external attacker can retrieve the rendered HTML of Elementor templates that were never meant to be publicly readable. The National Vulnerability Database (NVD) describes the root cause as a missing capability check in the plugin’s get_template_content function, enabling unauthenticated attackers to view the contents of private, draft, and pending templates in all versions up to and including 4.11.53. This matters in real deployments because Elementor templates often contain unpublished landing pages, internal copy, experiment variants, marketing plans, gated offers, or “coming soon” pages that site owners assume are only visible inside the editor/dashboard until explicitly published or embedded.

CVE-2025-11369 impacts the WordPress plugin Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns (“Essential Blocks”) and is a classic Missing / Incorrect Capability Check issue that results in unauthorized access to sensitive configuration data. The vulnerability allows authenticated users with Author-level access and above to retrieve API keys and tokens configured for external services, because several plugin entry points validate only a weak or incorrect permission boundary rather than a strict administrative capability. NVD summarizes the root cause precisely: missing or incorrect capability checks in functions associated with Instagram, Google Maps, and site info retrieval in all versions up to and including 5.7.2, enabling authenticated Author+ users to view API keys for external services. Because Essential Blocks has a large deployment footprint (200,000+ active installations on WordPress.org), the real-world impact is not niche—multi-author sites that grant Author roles routinely (editors, guest authors, content teams) are exactly the environments where this exposure becomes operationally relevant.

CVE-2025-13794 is an Incorrect Authorization / Missing Authorization (CWE-862) vulnerability in the WordPress plugin Auto Featured Image (Auto Post Thumbnail) that breaks WordPress’ object-level access control for post thumbnails when bulk actions are used from the Posts list screen. The vulnerability affects all versions up to and including 4.2.1, and it allows authenticated attackers with Contributor-level access or higher to delete or generate featured images on posts they do not own, effectively enabling cross-user content tampering without the normal “can you edit this specific post?” gate. Because the plugin is widely deployed (WordPress.org shows 50,000+ active installations), this kind of low-privilege workflow bypass has real operational impact on multi-author sites, editorial teams, and any WordPress environment that relies on role separation to protect content integrity.

CVE-2025-15527 is an information exposure vulnerability in the WordPress plugin WP Recipe Maker that breaks WordPress’ expected post privacy model for low-privileged editorial accounts. The core issue is a REST API endpoint that returns post metadata for any arbitrary post ID, while authorizing access using a broad capability check (edit_posts) rather than an object-level read permission check tied to the specific post being requested. In affected versions up to and including 10.2.2, this enables authenticated users with Contributor-level access and above to retrieve the title and featured image URL of posts they should not be able to view, including draft, private, and password-protected posts owned by other users.