Security

The Password Protected plugin (300k+ installs) is widely used to place a front-end password gate on WordPress sites, preventing casual visitors from viewing pages until a shared password is entered. While convenient, this security model must strictly bind the “authenticated” state to something the attacker cannot forge. CVE-2025-11244 shows a critical flaw in the plugin’s Advanced → Cache issue → “Use transients” mode: the plugin derives the session key from the visitor’s IP address, and it trusts client-supplied proxy headers (such as X-Forwarded-For) without a trusted proxy policy. This allows an unauthenticated attacker to spoof a victim’s public IP and reuse the victim’s transient-based “logged in” state, bypassing the password gate entirely.

BackWPup is one of the most widely deployed WordPress backup plugins (500k+ installs), often used to create full site archives containing database dumps and wp-content files. Those archives frequently include highly sensitive secrets—database credentials from wp-config.php, authentication salts, plugin configuration tokens, and user password hashes. CVE-2025-10579 describes a high-impact exposure chain where any authenticated low-privileged user (e.g., Subscriber) can (1) read live backup logs through an unprotected AJAX endpoint, (2) learn the exact archive filename as soon as it is generated, and (3) download the full backup archive from a web-served directory whose per-site “random” subfolder is only six hex characters. This combination of missing authorization plus predictable resource location turns backup archives into an easily harvested target, enabling complete confidentiality compromise and rapid pivot to full administrative control.

PixelYourSite (Free) is a widely used tracking and analytics integration plugin, active on 500k+ WordPress sites. It centralizes pixel/tag configuration for platforms like Meta and Google, and exposes consent-related toggles in its admin UI. During testing we identified CVE-2025-10588, a Cross-Site Request Forgery (CSRF) flaw that allows an attacker to trick a logged-in administrator into silently enabling GDPR AJAX mode and related consent integrations without a valid nonce verification. While the code checks the presence of _wpnonce and confirms that the victim has the manage_pys capability, it does not verify the nonce value before mutating options, allowing state change via cross-origin GET or POST.

Optimole (WP plugin, ~200k+ installs) optimizes images on the fly and can offload media to a CDN, replacing local files with remote versions to reduce bandwidth and storage. In Optimole WP 4.0.4 we identified CVE-2025-11519, an Insecure Direct Object Reference (IDOR) on the REST route /wp-json/optml/v1/move_image. Any authenticated user possessing the upload_files capability (e.g., Author) and a valid REST nonce can post arbitrary attachment IDs to trigger the offload flow, which deletes the local image and its generated variants after a CDN check. By iterating IDs (e.g., 1..9999), an attacker can mass-process the library and cause site-wide “missing image” failures, broken posts/pages, SEO degradation, and data loss that requires restoring from backups. Because this does not require admin privileges and can be fully automated, the severity is High.

Among its “AI image” helpers, the plugin offers a server-side fetch that retrieves a remote image and drops it into the Media Library. During testing we identified CVE-2025-11361, an authenticated Server-Side Request Forgery (SSRF) flaw that any Author+ (i.e., anyone with upload_files) can trigger. By calling the AJAX action save_ai_generated_image with a valid admin_nonce, an attacker supplies an arbitrary image_url; the server then performs a backend wp_remote_get() without host allow-listing or private/loopback blocking, and unconditionally writes the entire HTTP response body to a file in wp-content/uploads/ (forcing a fallback “.png” when the type is unrecognized). Because the body is stored verbatim, the attacker can later download that media item to exfiltrate internal responses (JSON/HTML/etc.), turning SSRF into a reliable data-exfiltration primitive against 127.0.0.1, RFC1918 ranges, or cloud metadata services.

WP Go Maps is a widely used mapping plugin for WordPress (300k+ installs). CVE-2025-11703 is a server-side cache poisoning flaw in the action=wpgmza_store_nominatim_cache admin-AJAX handler. Instead of performing a trusted server-side geocoding request and caching the authoritative result, the handler accepts two attacker-controlled parameters, query and response, and blindly stores the supplied response JSON as the cached geocode for the specified query. Because the endpoint does not enforce a CSRF nonce and relies only on browser cookies, an attacker can coerce a logged-in privileged user into sending a forged POST that writes arbitrary coordinates, names, and metadata into the plugin’s geocoding cache. Subsequent map lookups for that address will use the poisoned cache entry, leading to persistent integrity corruption in map data visible to all visitors.

ShortPixel Image Optimizer is a popular WordPress plugin (300k+ installs) for image compression and CDN delivery. During security testing, we identified CVE-2025-11378, an Improper Authorization flaw in the plugin’s settings import/export AJAX endpoint: it accepts a nonce obtainable by low-privileged users (e.g., Contributor+) but never enforces an admin-level capability such as manage_options. As a result, a low-privileged account can import arbitrary global settings (including enabling CDN and pointing CDNDomain to an attacker-controlled host) and export the full configuration, leading to admin-equivalent impact via Stored XSS and front-end defacement, as well as exposure of sensitive CDN/Cloudflare tokens that can be abused to compromise external infrastructure.

Ally – Web Accessibility & Usability is a widely deployed WordPress plugin (400k+ installs) that enhances accessibility and content usability across themes and page builders. During security testing, we identified CVE-2025-10700, a Cross-Site Request Forgery (CSRF) flaw that allows a malicious site to trick a logged-in administrator’s browser into enabling “unfiltered SVG uploads” via the plugin’s AJAX action. Although the handler correctly checks current_user_can(‘manage_options’), it does not validate a CSRF nonce, meaning an admin merely visiting a hostile page can have their upload policy silently weakened. Because SVG is effectively an XML/HTML container with scriptable/interactive capabilities, forcibly enabling unfiltered SVG support increases exposure to SVG-borne XSS, data smuggling, and stored-content abuse in environments where other defenses are imperfect or later regress.

Newsup is a magazine-style WordPress theme with more than 30,000 active installations, prized for its demo importer and “one-click extras” that streamline editorial site setup. During security testing we identified CVE-2025-8682, a high-impact Missing Authorization flaw: the theme exposes an AJAX action named install_act_plugin that can be invoked by low-privileged users (Subscriber+) and, in some deployments, even unauthenticated visitors. Because the handler does not enforce a capability check (e.g., install_plugins / manage_options) and is callable without a CSRF nonce, attackers can silently initiate plugin installation/activation flows, introducing untrusted code into the site.

WP Go Maps (WP Google Maps) is a widely used mapping plugin (300k+ installs) that lets administrators create maps, markers, and geometry layers for pages and posts. During testing, we identified CVE-2025-11166, a set of Cross-Site Request Forgery (CSRF) and Missing Authorization flaws caused by a state-changing REST→AJAX bridge that lacks CSRF nonces and, in at least one case, a permissive GET-only destructive route with no permission callback. The net effect is that an attacker can trick a logged-in Admin/Editor into creating, modifying, or deleting markers and geometry; and can mass delete markers anonymously via an unauthenticated GET, enabling both content tampering and denial-of-service (DoS).