Security

WP Go Maps (WP Google Maps) is a widely used mapping plugin (300k+ installs) that lets administrators create maps, markers, and geometry layers for pages and posts. During testing, we identified CVE-2025-11166, a set of Cross-Site Request Forgery (CSRF) and Missing Authorization flaws caused by a state-changing REST→AJAX bridge that lacks CSRF nonces and, in at least one case, a permissive GET-only destructive route with no permission callback. The net effect is that an attacker can trick a logged-in Admin/Editor into creating, modifying, or deleting markers and geometry; and can mass delete markers anonymously via an unauthenticated GET, enabling both content tampering and denial-of-service (DoS).

WP Reset is a widely used WordPress utility (400k+ installs) that accelerates development and recovery by resetting sites, managing snapshots, and handling licensing for its Pro features. During testing, we discovered CVE-2025-10645, a sensitive-data exposure flaw: when licensing is invoked, the plugin writes the submitted license key verbatim to a log file located under the publicly reachable wp-content/ directory. Because the logger is initialized with debug => true and no masking is applied to license_key, the log ends up disclosing raw keys alongside rich site metadata and server responses—all retrievable unauthenticated over HTTP on default setups.

PixelYourSite is one of the most widely-used analytics and marketing integration plugins for WordPress, with 500k+ installs. It streamlines adding Facebook/Meta, Google, and other pixels/tags, and includes convenience features for exporting or downloading configuration artifacts. During testing, we identified CVE-2025-10723, a Local File Inclusion (LFI) / path traversal flaw in the plugin’s admin download endpoint. When an authenticated administrator requests a file through the download_container parameter, the handler concatenates that user-supplied path with an internal base directory and streams it directly. Because the code does not normalize or strictly validate the path (no canonicalization, no allowlist), ../ traversal lets an admin download arbitrary readable files from the server, including wp-config.php, SSH keys, and environment files. While exploitation requires admin privileges and a valid nonce, the impact is high due to the sensitivity of the exposed secrets (DB credentials, salts, API keys) and the potential for off-platform pivoting.

Cost Calculator Builder (v3.5.24) is a popular WordPress plugin (50k+ installs) that enables site owners to create customizable pricing calculators and capture form-based orders. It exposes AJAX endpoints—get_cc_orders to list orders and update_order_status to change an order’s status—relying solely on client-side nonces injected into window.ccb_nonces. However, these handlers perform no current_user_can() checks, permitting any visitor who steals or observes the publicly exposed nonces to list all orders (including customer names and email addresses) and arbitrarily mark payments as complete, canceled, rejected, or pending.

Customify is a lightweight, highly customizable WordPress theme—active on over 50,000+ sites—that offers granular control over layouts, colors, typography, and WooCommerce integrations. Its “Reset Section” feature lets administrators revert a group of options to defaults. However, CVE-2025-8669 exposes a serious flaw: the reset endpoint customify__reset_section lacks both nonce protection and capability checks, allowing unauthenticated users to force a complete reset of virtually all Customify theme settings via a single CSRF request.

The Anti-Malware Security and Brute-Force Firewall plugin is installed on over 100,000 WordPress sites to detect, quarantine, and remove malicious code, as well as to prevent brute-force login attempts. Central to its functionality is a quarantine system that logs suspicious files into a private custom post type (GOTMLS_quarantine) and exposes administrative AJAX endpoints for viewing, scanning, and clearing these quarantined items. However, CVE-2025-11705 reveals a severe broken authorization chain: through the public-facing GOTMLS_View_Quarantine endpoint, any authenticated user—including a Subscriber+—can obtain a valid GOTMLS_mt token, then reuse that token to invoke GOTMLS_scan and read arbitrary filesystem files (e.g., wp-config.php), or call GOTMLS_empty_trash to tamper with quarantine records. This combination of token leakage and missing capability checks constitutes a critical confidentiality and integrity risk.

Pz-LinkCard is a WordPress plugin with over 50,000 installations that transforms external URLs into rich, responsive card layouts using the [blogcard] shortcode. By fetching metadata—titles, thumbnails, descriptions—from remote sites, it enhances content engagement. However, a critical vulnerability—CVE-2025-8594—allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF). Because the plugin directly uses the user-supplied url attribute in server-side HTTP requests without any whitelist or validation, an attacker can coerce the server into fetching internal or arbitrary endpoints, risking data exposure, internal network probing, or remote service manipulation.

The Sydney WordPress theme, active on over 100,000 sites, offers modular feature toggles—block templates, custom headers, advanced typography—managed via URL parameters on the Profile page. Unfortunately, a critical vulnerability—CVE-2025-8999—permits Subscriber+ or even unauthenticated users to activate or deactivate these theme modules without proper authorization. By simply visiting a crafted URL or submitting a CSRF form, low-privilege attackers can modify the sydney-modules option, enabling or disabling core theme functionality and potentially weakening site defenses or injecting unwanted features.

Maspik is a spam-logging WordPress plugin used by over 30,000 sites to record and analyze spam submissions across contact forms, checkout pages, and other inputs. It stores detailed records—email addresses, IPs, user agents, country data—in the wp_maspik_spam_logs table. A critical vulnerability—CVE-2025-9979—allows any authenticated user with as little as Subscriber+ privileges to export the entire spam log as a CSV file. This missing authorization on the Maspik_spamlog_download_csv endpoint leads to wholesale disclosure of potentially sensitive data without any nonce or capability checks.