Security

CVE-2025-13393 affects Featured Image from URL FIFU and it enables a Contributor level user to coerce the WordPress server into making outbound requests to attacker chosen destinations during the Elementor save workflow. The vulnerability is blind server side request forgery because the plugin does not return the fetched response body to the attacker. Instead it triggers a network request as a side effect of extracting image dimensions. This is still high impact because the attacker gains a reliable primitive to reach internal hosts that are not accessible from the internet, which can be used for reconnaissance and chaining. Install base around 70k plus makes this relevant to real sites where Contributors and Authors are common in editorial and marketing teams.

CVE-2025-13753 affects WP Table Builder and it is an incorrect authorization vulnerability where a low privilege authenticated user can create new tables even when the site owner configured the plugin to allow table management only for specific roles. The bug is subtle because the plugin does have an authorization model and a dedicated allowed roles gate, yet one AJAX entry point introduces an alternative access path that relies only on possession of a nonce like value and skips the capability check entirely. In practical terms this means a Subscriber can perform a privileged content creation action as soon as they can see or steal the security code that is exposed in front end or editor context, which breaks the expected role separation that administrators rely on in multi user WordPress installations.

CVE-2026-3231 affects Checkout Field Editor Checkout Manager for WooCommerce and it is an unauthenticated stored cross site scripting vulnerability that can fire in high value contexts such as the WooCommerce admin order screen and customer order details. The reason this matters is that checkout fields sit directly on the boundary between untrusted shopper input and trusted back office workflows. If an attacker can store HTML that later executes in an administrator’s browser, the impact quickly escalates from a cosmetic script popup into session theft and administrative actions performed in the background. With an install base around 500k plus, the vulnerable pattern is relevant for many production stores, especially those that use custom checkout fields to collect contact data, delivery preferences, or consent options.

CVE-2026-3585 affects The Events Calendar and its Event Aggregator import workflow. It is an authenticated Local File Inclusion issue in the CSV import path where a low privilege user who can manage event imports can point the importer at an arbitrary local path and force the server to open it as if it were a CSV file. Even though this does not look like code execution, the security impact is serious because it turns an editorial role into a tool for reading sensitive server files that were never meant to be exposed through the application. Given the plugin’s large install base around 700k plus, this becomes especially relevant on multi author sites and organizations where event staff have elevated content permissions but should not have access to server level secrets.

CVE-2025-14980 affects BetterDocs and it exposes a high value secret through a surprisingly common WordPress anti pattern. The plugin places an OpenAI API key into a JavaScript object that is printed in the admin area, and that admin screen is reachable by Contributor level users. This means a user who is not trusted to manage integrations can still read the key simply by opening the BetterDocs dashboard and inspecting the page source or DevTools network responses. The immediate consequence is that a low privilege account can obtain a reusable external credential that is valid outside WordPress, which changes the risk from a local dashboard information leak into a broader third party account abuse scenario.

CVE-2025-13749 affects Clearfy version 2.4.0 and it is a Cross Site Request Forgery weakness inside the Clearfy Updates Manager module that allows an attacker to change update visibility and auto update behavior without the administrator’s consent. The most important security property here is stealth. Once the request succeeds, the targeted plugin or theme immediately disappears from the update list and the familiar yellow update banner no longer appears, so the administrator receives no obvious signal that anything changed. This is not a flashy exploit like code execution, but it is a persistence enabler that keeps vulnerable software in place and increases compromise probability over time because patching is silently disabled.

CVE-2025-14059 affects Email Kit and it is a local file inclusion vulnerability that turns a normal email template feature into a reliable arbitrary file read primitive for an authenticated Author level user. The key reason it is serious is that it is not only about reading a file on the server. It also provides a built in exfiltration channel because the stolen file content can be delivered outward through MetForm confirmation emails to an attacker controlled mailbox. On real sites this means an Author account, which is common on marketing and content teams, can reach high value secrets like wp-config.php database credentials and authentication keys without needing administrator access, and without any direct file download feature being present.