Security

PixelYourSite is one of the most widely-used analytics and marketing integration plugins for WordPress, with 500k+ installs. It streamlines adding Facebook/Meta, Google, and other pixels/tags, and includes convenience features for exporting or downloading configuration artifacts. During testing, we identified CVE-2025-10723, a Local File Inclusion (LFI) / path traversal flaw in the plugin’s admin download endpoint. When an authenticated administrator requests a file through the download_container parameter, the handler concatenates that user-supplied path with an internal base directory and streams it directly. Because the code does not normalize or strictly validate the path (no canonicalization, no allowlist), ../ traversal lets an admin download arbitrary readable files from the server, including wp-config.php, SSH keys, and environment files. While exploitation requires admin privileges and a valid nonce, the impact is high due to the sensitivity of the exposed secrets (DB credentials, salts, API keys) and the potential for off-platform pivoting.

Cost Calculator Builder (v3.5.24) is a popular WordPress plugin (50k+ installs) that enables site owners to create customizable pricing calculators and capture form-based orders. It exposes AJAX endpoints—get_cc_orders to list orders and update_order_status to change an order’s status—relying solely on client-side nonces injected into window.ccb_nonces. However, these handlers perform no current_user_can() checks, permitting any visitor who steals or observes the publicly exposed nonces to list all orders (including customer names and email addresses) and arbitrarily mark payments as complete, canceled, rejected, or pending.

Customify is a lightweight, highly customizable WordPress theme—active on over 50,000+ sites—that offers granular control over layouts, colors, typography, and WooCommerce integrations. Its “Reset Section” feature lets administrators revert a group of options to defaults. However, CVE-2025-8669 exposes a serious flaw: the reset endpoint customify__reset_section lacks both nonce protection and capability checks, allowing unauthenticated users to force a complete reset of virtually all Customify theme settings via a single CSRF request.

The Anti-Malware Security and Brute-Force Firewall plugin is installed on over 100,000 WordPress sites to detect, quarantine, and remove malicious code, as well as to prevent brute-force login attempts. Central to its functionality is a quarantine system that logs suspicious files into a private custom post type (GOTMLS_quarantine) and exposes administrative AJAX endpoints for viewing, scanning, and clearing these quarantined items. However, CVE-2025-11705 reveals a severe broken authorization chain: through the public-facing GOTMLS_View_Quarantine endpoint, any authenticated user—including a Subscriber+—can obtain a valid GOTMLS_mt token, then reuse that token to invoke GOTMLS_scan and read arbitrary filesystem files (e.g., wp-config.php), or call GOTMLS_empty_trash to tamper with quarantine records. This combination of token leakage and missing capability checks constitutes a critical confidentiality and integrity risk.

Pz-LinkCard is a WordPress plugin with over 50,000 installations that transforms external URLs into rich, responsive card layouts using the [blogcard] shortcode. By fetching metadata—titles, thumbnails, descriptions—from remote sites, it enhances content engagement. However, a critical vulnerability—CVE-2025-8594—allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF). Because the plugin directly uses the user-supplied url attribute in server-side HTTP requests without any whitelist or validation, an attacker can coerce the server into fetching internal or arbitrary endpoints, risking data exposure, internal network probing, or remote service manipulation.

The Sydney WordPress theme, active on over 100,000 sites, offers modular feature toggles—block templates, custom headers, advanced typography—managed via URL parameters on the Profile page. Unfortunately, a critical vulnerability—CVE-2025-8999—permits Subscriber+ or even unauthenticated users to activate or deactivate these theme modules without proper authorization. By simply visiting a crafted URL or submitting a CSRF form, low-privilege attackers can modify the sydney-modules option, enabling or disabling core theme functionality and potentially weakening site defenses or injecting unwanted features.

Maspik is a spam-logging WordPress plugin used by over 30,000 sites to record and analyze spam submissions across contact forms, checkout pages, and other inputs. It stores detailed records—email addresses, IPs, user agents, country data—in the wp_maspik_spam_logs table. A critical vulnerability—CVE-2025-9979—allows any authenticated user with as little as Subscriber+ privileges to export the entire spam log as a CSV file. This missing authorization on the Maspik_spamlog_download_csv endpoint leads to wholesale disclosure of potentially sensitive data without any nonce or capability checks.

Maspik is a WordPress plugin deployed on over 30,000 sites to track and log spam submissions from contact forms and checkout pages. It stores entries in the wp_maspik_spam_logs table, enabling administrators to review and clear logs via the dashboard. However, a critical flaw—CVE-2025-9888—permits any visitor or low-privileged user to trigger a full log wipe via a simple CSRF attack. Because the plugin’s “Clear Logs” action lacks nonce verification and capability checks, an attacker can silently erase all spam records, disrupting site monitoring and potentially masking ongoing attacks.

CVE-2025-9816 is a critical stored cross-site scripting vulnerability in the widely used WP Statistics plugin (600k+ installs) that permits an attacker to persist a crafted User-Agent string into the plugin’s device model field and later execute arbitrary JavaScript inside the wp-admin interface when an administrator views the Devices → Device Models report. The root cause is a chain of weak protections: the UA string is lightly normalized by the parser but not fully sanitized or context-escaped before being stored and rendered, and the admin table renders the model value both into a text node and into an HTML attribute (title) without esc_html()/esc_attr() or equivalent context-aware escaping. Because administrators have high privileges and valid nonces in their browser context, any JavaScript that executes there can steal cookies, nonces, or trigger privileged actions—turning a seemingly low-signal analytics record into a direct path to full site takeover.