Author: Dmitrii I

CVE-2025-13558 affects the WordPress plugin “Blog2Social: Social Media Auto Post & Scheduler” (commonly referenced as Blog2Social) and represents a classic object-level authorization failure where an authenticated user can trigger a destructive action against content they do not own. According to the public CVE description, all versions up to and including 8.7.0 are impacted, and the practical outcome is that a low-privileged authenticated account (Subscriber and above) can change the status of arbitrary posts to “trash,” resulting in immediate, user-visible disappearance of published content and disruption of editorial operations. The plugin’s footprint is non-trivial—WordPress.org reports “Active installations 50,000+,” which makes authorization regressions of this kind especially consequential in real deployments where Subscriber accounts exist for memberships, customers, forums, or gated content.

CVE-2023-49282 is an information disclosure issue that can surface in real WordPress environments when third-party dependencies ship test artifacts inside production packages and the hosting setup permits direct web access to those files. In the Amelia Booking plugin (“ameliabooking”), the Microsoft Graph PHP SDK is bundled under vendor/, and that SDK historically included a test script named tests/GetPhpInfo.php that calls phpinfo() unconditionally; if a site’s web server allows requests into the plugin’s dependency tree, an unauthenticated visitor can retrieve a full phpinfo() page from a predictable URL path. The underlying weakness described in public advisories is specifically the presence of this callable test code at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php, and exploitation depends on the application being able to access and execute that path from the web layer.

Responsive Lightbox & Gallery is a widely used WordPress plugin (100k+ installs) that enhances galleries and lightboxes, including support for remote images and “remote library” content blocks. As part of rendering gallery items, the plugin attempts to determine image dimensions (width/height) server-side when those values are missing or when an item is stored as a plain URL. During testing, we identified CVE-2025-12359, an authenticated SSRF vulnerability exploitable by Author+ users who can create or edit gallery content. By supplying an attacker-controlled URL, the plugin causes the WordPress server to initiate outbound requests to arbitrary internal or external addresses—including 127.0.0.1, RFC1918 networks, and potentially cloud metadata endpoints—without allow-listing, private-range blocking, or redirect safeguards.

WP Migrate Lite (≈200k+ installs) is a widely used WordPress migration plugin designed to synchronize databases and media between sites. Migration workflows often require remote communication between WordPress instances, which makes request-handling logic highly sensitive to authentication, nonce validation, and strict URL allow-listing. In WP Migrate Lite 2.7.5, we identified CVE-2025-11427, an unauthenticated blind Server-Side Request Forgery (SSRF) vulnerability reachable through a publicly exposed AJAX endpoint. By sending crafted parameters to admin-ajax.php?action=wpmdb_flush without any WordPress cookies, an attacker can coerce the WordPress server into issuing a backend wp_remote_post() request to an arbitrary host, including internal services on 127.0.0.1, RFC1918 networks, or cloud metadata endpoints—enabling internal probing, service interaction, and potential chained compromise.

Modula – Image Gallery (Photo Grid & Video Gallery) is a widely deployed WordPress gallery plugin (100k+ installs) used to build responsive image grids and media galleries. It includes an “import file” feature to bring images into the Media Library. During testing, we identified CVE-2025-12494, a high-impact improper authorization / unsafe file operation vulnerability: an Author+ user can supply a filesystem path to a local image and—when delete_files=true—cause WordPress’ media_handle_sideload() pipeline to move (not copy) that file into uploads, effectively removing the original asset from its source location. Because the endpoint does not enforce a base-directory allowlist (no realpath() prefix check), attackers can target application assets such as theme images, plugin graphics, or other local files readable/writable by PHP, resulting in content integrity loss and site destabilization.

Envira Gallery Lite is a popular WordPress gallery plugin with 100k+ installs, commonly used to build image galleries as a custom post type (envira). Galleries are frequently curated for portfolios, product pages, and editorial content, making integrity of gallery composition important. CVE-2025-12377 describes an incorrect authorization flaw in the AJAX image removal workflow: instead of enforcing object-level permissions on the target gallery, the handler accepts only the broad edit_posts capability. This means any user who can edit their own posts (e.g., Author) can tamper with any Envira gallery by removing images from it—without owning the gallery—resulting in visual defacement and content integrity loss.

Orbit Fox Companion is a widely deployed WordPress plugin (100k+ installs) that adds extra widgets and extensions for popular builders, including Elementor. These widgets are often used to create dynamic front-end components such as post grids, cards, and metadata sections. During testing,

Depicter is a popular WordPress slider and content presentation plugin with 100k+ active installations. It allows administrators and editors to create dynamic documents (sliders, popups, content blocks) and define display rules that control where and how content is shown. During testing, we discovered CVE-2025-8383,

Call Now Button is a popular WordPress plugin (200k+ installs) that adds a call/chat overlay to a website and can be managed locally or via the vendor’s cloud. During testing, we identified CVE-2025-11587, a critical CSRF / Missing Authorization vulnerability that allows an attacker to force-bind a victim site to an attacker-controlled Call Now Button (CNB) cloud account. The flaw is caused by an unprotected admin-post activation endpoint that accepts a one-time token (OTT) from the request and stores it directly into the plugin’s persistent options, enabling cloud management without verifying the user’s capabilities and without verifying any nonce. The result is an arbitrary plugin configuration update that grants the attacker remote control over the on-site overlay and funnels user interactions into the attacker’s cloud project.

The Password Protected plugin (300k+ installs) is widely used to place a front-end password gate on WordPress sites, preventing casual visitors from viewing pages until a shared password is entered. While convenient, this security model must strictly bind the “authenticated” state to something the attacker cannot forge. CVE-2025-11244 shows a critical flaw in the plugin’s Advanced → Cache issue → “Use transients” mode: the plugin derives the session key from the visitor’s IP address, and it trusts client-supplied proxy headers (such as X-Forwarded-For) without a trusted proxy policy. This allows an unauthenticated attacker to spoof a victim’s public IP and reuse the victim’s transient-based “logged in” state, bypassing the password gate entirely.