Author: Dmitrii I

CVE-2025-14155 is an unauthenticated information disclosure vulnerability in Premium Addons for Elementor – Powerful Elementor Templates & Widgets, where an external attacker can retrieve the rendered HTML of Elementor templates that were never meant to be publicly readable. The National Vulnerability Database (NVD) describes the root cause as a missing capability check in the plugin’s get_template_content function, enabling unauthenticated attackers to view the contents of private, draft, and pending templates in all versions up to and including 4.11.53. This matters in real deployments because Elementor templates often contain unpublished landing pages, internal copy, experiment variants, marketing plans, gated offers, or “coming soon” pages that site owners assume are only visible inside the editor/dashboard until explicitly published or embedded.

CVE-2025-11369 impacts the WordPress plugin Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns (“Essential Blocks”) and is a classic Missing / Incorrect Capability Check issue that results in unauthorized access to sensitive configuration data. The vulnerability allows authenticated users with Author-level access and above to retrieve API keys and tokens configured for external services, because several plugin entry points validate only a weak or incorrect permission boundary rather than a strict administrative capability. NVD summarizes the root cause precisely: missing or incorrect capability checks in functions associated with Instagram, Google Maps, and site info retrieval in all versions up to and including 5.7.2, enabling authenticated Author+ users to view API keys for external services. Because Essential Blocks has a large deployment footprint (200,000+ active installations on WordPress.org), the real-world impact is not niche—multi-author sites that grant Author roles routinely (editors, guest authors, content teams) are exactly the environments where this exposure becomes operationally relevant.

CVE-2025-13794 is an Incorrect Authorization / Missing Authorization (CWE-862) vulnerability in the WordPress plugin Auto Featured Image (Auto Post Thumbnail) that breaks WordPress’ object-level access control for post thumbnails when bulk actions are used from the Posts list screen. The vulnerability affects all versions up to and including 4.2.1, and it allows authenticated attackers with Contributor-level access or higher to delete or generate featured images on posts they do not own, effectively enabling cross-user content tampering without the normal “can you edit this specific post?” gate. Because the plugin is widely deployed (WordPress.org shows 50,000+ active installations), this kind of low-privilege workflow bypass has real operational impact on multi-author sites, editorial teams, and any WordPress environment that relies on role separation to protect content integrity.

CVE-2025-15527 is an information exposure vulnerability in the WordPress plugin WP Recipe Maker that breaks WordPress’ expected post privacy model for low-privileged editorial accounts. The core issue is a REST API endpoint that returns post metadata for any arbitrary post ID, while authorizing access using a broad capability check (edit_posts) rather than an object-level read permission check tied to the specific post being requested. In affected versions up to and including 10.2.2, this enables authenticated users with Contributor-level access and above to retrieve the title and featured image URL of posts they should not be able to view, including draft, private, and password-protected posts owned by other users.

CVE-2025-10583 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in the WordPress plugin WP Fastest Cache, affecting versions up to and including 1.7.4 according to the NVD record. What makes this issue especially operationally relevant is the plugin’s adoption: the WordPress.org listing shows 1+ million active installations, so any low-privilege-to-network-recon bug has immediate “real internet” consequences across a large attack surface. The core impact is not a direct data exfiltration primitive by itself, but rather a reliable way for a low-privileged authenticated user to coerce the server into making outbound connections, which can be weaponized for internal network discovery, firewall bypass, and chaining into higher-impact compromises.