Security

WP Migrate Lite (≈200k+ installs) is a widely used WordPress migration plugin designed to synchronize databases and media between sites. Migration workflows often require remote communication between WordPress instances, which makes request-handling logic highly sensitive to authentication, nonce validation, and strict URL allow-listing. In WP Migrate Lite 2.7.5, we identified CVE-2025-11427, an unauthenticated blind Server-Side Request Forgery (SSRF) vulnerability reachable through a publicly exposed AJAX endpoint. By sending crafted parameters to admin-ajax.php?action=wpmdb_flush without any WordPress cookies, an attacker can coerce the WordPress server into issuing a backend wp_remote_post() request to an arbitrary host, including internal services on 127.0.0.1, RFC1918 networks, or cloud metadata endpoints—enabling internal probing, service interaction, and potential chained compromise.

Modula – Image Gallery (Photo Grid & Video Gallery) is a widely deployed WordPress gallery plugin (100k+ installs) used to build responsive image grids and media galleries. It includes an “import file” feature to bring images into the Media Library. During testing, we identified CVE-2025-12494, a high-impact improper authorization / unsafe file operation vulnerability: an Author+ user can supply a filesystem path to a local image and—when delete_files=true—cause WordPress’ media_handle_sideload() pipeline to move (not copy) that file into uploads, effectively removing the original asset from its source location. Because the endpoint does not enforce a base-directory allowlist (no realpath() prefix check), attackers can target application assets such as theme images, plugin graphics, or other local files readable/writable by PHP, resulting in content integrity loss and site destabilization.

Envira Gallery Lite is a popular WordPress gallery plugin with 100k+ installs, commonly used to build image galleries as a custom post type (envira). Galleries are frequently curated for portfolios, product pages, and editorial content, making integrity of gallery composition important. CVE-2025-12377 describes an incorrect authorization flaw in the AJAX image removal workflow: instead of enforcing object-level permissions on the target gallery, the handler accepts only the broad edit_posts capability. This means any user who can edit their own posts (e.g., Author) can tamper with any Envira gallery by removing images from it—without owning the gallery—resulting in visual defacement and content integrity loss.

Orbit Fox Companion is a widely deployed WordPress plugin (100k+ installs) that adds extra widgets and extensions for popular builders, including Elementor. These widgets are often used to create dynamic front-end components such as post grids, cards, and metadata sections. During testing,

Depicter is a popular WordPress slider and content presentation plugin with 100k+ active installations. It allows administrators and editors to create dynamic documents (sliders, popups, content blocks) and define display rules that control where and how content is shown. During testing, we discovered CVE-2025-8383,

Call Now Button is a popular WordPress plugin (200k+ installs) that adds a call/chat overlay to a website and can be managed locally or via the vendor’s cloud. During testing, we identified CVE-2025-11587, a critical CSRF / Missing Authorization vulnerability that allows an attacker to force-bind a victim site to an attacker-controlled Call Now Button (CNB) cloud account. The flaw is caused by an unprotected admin-post activation endpoint that accepts a one-time token (OTT) from the request and stores it directly into the plugin’s persistent options, enabling cloud management without verifying the user’s capabilities and without verifying any nonce. The result is an arbitrary plugin configuration update that grants the attacker remote control over the on-site overlay and funnels user interactions into the attacker’s cloud project.

The Password Protected plugin (300k+ installs) is widely used to place a front-end password gate on WordPress sites, preventing casual visitors from viewing pages until a shared password is entered. While convenient, this security model must strictly bind the “authenticated” state to something the attacker cannot forge. CVE-2025-11244 shows a critical flaw in the plugin’s Advanced → Cache issue → “Use transients” mode: the plugin derives the session key from the visitor’s IP address, and it trusts client-supplied proxy headers (such as X-Forwarded-For) without a trusted proxy policy. This allows an unauthenticated attacker to spoof a victim’s public IP and reuse the victim’s transient-based “logged in” state, bypassing the password gate entirely.

BackWPup is one of the most widely deployed WordPress backup plugins (500k+ installs), often used to create full site archives containing database dumps and wp-content files. Those archives frequently include highly sensitive secrets—database credentials from wp-config.php, authentication salts, plugin configuration tokens, and user password hashes. CVE-2025-10579 describes a high-impact exposure chain where any authenticated low-privileged user (e.g., Subscriber) can (1) read live backup logs through an unprotected AJAX endpoint, (2) learn the exact archive filename as soon as it is generated, and (3) download the full backup archive from a web-served directory whose per-site “random” subfolder is only six hex characters. This combination of missing authorization plus predictable resource location turns backup archives into an easily harvested target, enabling complete confidentiality compromise and rapid pivot to full administrative control.

PixelYourSite (Free) is a widely used tracking and analytics integration plugin, active on 500k+ WordPress sites. It centralizes pixel/tag configuration for platforms like Meta and Google, and exposes consent-related toggles in its admin UI. During testing we identified CVE-2025-10588, a Cross-Site Request Forgery (CSRF) flaw that allows an attacker to trick a logged-in administrator into silently enabling GDPR AJAX mode and related consent integrations without a valid nonce verification. While the code checks the presence of _wpnonce and confirms that the victim has the manage_pys capability, it does not verify the nonce value before mutating options, allowing state change via cross-origin GET or POST.

Optimole (WP plugin, ~200k+ installs) optimizes images on the fly and can offload media to a CDN, replacing local files with remote versions to reduce bandwidth and storage. In Optimole WP 4.0.4 we identified CVE-2025-11519, an Insecure Direct Object Reference (IDOR) on the REST route /wp-json/optml/v1/move_image. Any authenticated user possessing the upload_files capability (e.g., Author) and a valid REST nonce can post arbitrary attachment IDs to trigger the offload flow, which deletes the local image and its generated variants after a CDN check. By iterating IDs (e.g., 1..9999), an attacker can mass-process the library and cause site-wide “missing image” failures, broken posts/pages, SEO degradation, and data loss that requires restoring from backups. Because this does not require admin privileges and can be fully automated, the severity is High.