Author: Dmitrii I

Pz-LinkCard is a WordPress plugin with over 50,000 installations that transforms external URLs into rich, responsive card layouts using the [blogcard] shortcode. By fetching metadata—titles, thumbnails, descriptions—from remote sites, it enhances content engagement. However, a critical vulnerability—CVE-2025-8594—allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF). Because the plugin directly uses the user-supplied url attribute in server-side HTTP requests without any whitelist or validation, an attacker can coerce the server into fetching internal or arbitrary endpoints, risking data exposure, internal network probing, or remote service manipulation.

The Sydney WordPress theme, active on over 100,000 sites, offers modular feature toggles—block templates, custom headers, advanced typography—managed via URL parameters on the Profile page. Unfortunately, a critical vulnerability—CVE-2025-8999—permits Subscriber+ or even unauthenticated users to activate or deactivate these theme modules without proper authorization. By simply visiting a crafted URL or submitting a CSRF form, low-privilege attackers can modify the sydney-modules option, enabling or disabling core theme functionality and potentially weakening site defenses or injecting unwanted features.

Maspik is a spam-logging WordPress plugin used by over 30,000 sites to record and analyze spam submissions across contact forms, checkout pages, and other inputs. It stores detailed records—email addresses, IPs, user agents, country data—in the wp_maspik_spam_logs table. A critical vulnerability—CVE-2025-9979—allows any authenticated user with as little as Subscriber+ privileges to export the entire spam log as a CSV file. This missing authorization on the Maspik_spamlog_download_csv endpoint leads to wholesale disclosure of potentially sensitive data without any nonce or capability checks.

Maspik is a WordPress plugin deployed on over 30,000 sites to track and log spam submissions from contact forms and checkout pages. It stores entries in the wp_maspik_spam_logs table, enabling administrators to review and clear logs via the dashboard. However, a critical flaw—CVE-2025-9888—permits any visitor or low-privileged user to trigger a full log wipe via a simple CSRF attack. Because the plugin’s “Clear Logs” action lacks nonce verification and capability checks, an attacker can silently erase all spam records, disrupting site monitoring and potentially masking ongoing attacks.

CVE-2025-9816 is a critical stored cross-site scripting vulnerability in the widely used WP Statistics plugin (600k+ installs) that permits an attacker to persist a crafted User-Agent string into the plugin’s device model field and later execute arbitrary JavaScript inside the wp-admin interface when an administrator views the Devices → Device Models report. The root cause is a chain of weak protections: the UA string is lightly normalized by the parser but not fully sanitized or context-escaped before being stored and rendered, and the admin table renders the model value both into a text node and into an HTML attribute (title) without esc_html()/esc_attr() or equivalent context-aware escaping. Because administrators have high privileges and valid nonces in their browser context, any JavaScript that executes there can steal cookies, nonces, or trigger privileged actions—turning a seemingly low-signal analytics record into a direct path to full site takeover.

CVE-2025-8282 affects the widely used SureForms plugin, with over 300,000 active installations, and revolves around a stored cross-site scripting flaw that undermines the integrity of form labels. SureForms allows Editors and Administrators to build complex forms using text blocks with customizable labels and placeholders. However, by embedding malicious JavaScript into the “Label” field when the “Use Labels as Placeholders” option is enabled, an attacker with Editor-level permissions can store a payload that executes whenever any user hovers over the affected form element. This vulnerability leverages the high-privilege context granted to Editors, turning a benign form builder feature into a powerful vector for account takeover and persistent backdoors.

CVE-2025-9331 impacts the widely used Spacious WordPress theme, currently active on over 30,000 sites. At its core lies a missing authorization check in the theme’s demo data import functionality. Normally, executing the “Import Demo Data” operation should be restricted to high-privileged users such as Administrators or Editors. However, due to an exposed nonce delivered via wp_localize_script, even Subscriber-level accounts can trigger the import_button AJAX action, enabling them to import arbitrary demo content and potentially manipulate site configuration or inject malicious data without proper oversight.

CVE-2025-8592 affects the popular Inspiro WordPress theme, which has amassed over 100,000 active installations. This vulnerability arises from an unauthenticated Cross-Site Request Forgery (CSRF) flaw in the theme’s AJAX handlers, specifically the inspiro_install_plugin action. By tricking an unsuspecting site administrator into visiting a malicious page, an attacker can silently install and activate plugins of their choosing from the official WordPress repository. If the forced plugin contains file-upload capabilities or known security weaknesses, the attacker can achieve full remote code execution (RCE) on the compromised site.