CVE-2025-8592 – Inspiro [THEME] – Unauth CSRF Leads to Arbitrary Plugin Upload and Remote Code Execution – POC

CVE-2025-8592 – Inspiro [THEME] – Unauth CSRF Leads to Arbitrary Plugin Upload and Remote Code Execution – POC

CVE-2025-8592 affects the popular Inspiro WordPress theme, which has amassed over 100,000 active installations. This vulnerability arises from an unauthenticated Cross-Site Request Forgery (CSRF) flaw in the theme’s AJAX handlers, specifically the inspiro_install_plugin action. By tricking an unsuspecting site administrator into visiting a malicious page, an attacker can silently install and activate plugins of their choosing from the official WordPress repository. If the forced plugin contains file-upload capabilities or known security weaknesses, the attacker can achieve full remote code execution (RCE) on the compromised site.

CVE-2025-9202 – ColorMag [THEME] – Missing Authorization to Authenticated (Subscriber+) Plugin Installation – POC

CVE-2025-9202 – ColorMag [THEME] – Missing Authorization to Authenticated (Subscriber+) Plugin Installation – POC

ColorMag is a widely used WordPress theme known for its magazine-style layouts and robust customization options, currently active on over 50,000 sites. It offers a seamless “import demo content” feature that loads theme demo data and recommended plugins via an AJAX action named import_button. However, a serious security flaw—CVE-2025-9202—has been discovered: the theme exposes the required nonce to Subscriber+ users through wp_localize_script, yet fails to enforce any capability checks. As a result, low-privileged users can invoke the import routine and install arbitrary plugins without proper authorization.

CVE-2025-8085 – Ditty – Unauthenticated SSRF – POC

CVE-2025-8085 – Ditty – Unauthenticated SSRF – POC

Ditty is a popular WordPress plugin for creating dynamic content displays—tickers, charts, and news feeds—through a user-friendly block editor interface. With over 50,000 active installations, it’s widely used to embed real-time data and media into pages and posts. However, a critical vulnerability—CVE-2025-8085—has been identified in its REST API: an unauthenticated Server-Side Request Forgery (SSRF) flaw in the endpoint wp-json/dittyeditor/v1/displayItems. This allows any unauthenticated visitor to coerce the server into fetching arbitrary external or internal URLs, potentially exposing internal network resources or enabling further exploits like remote code execution or data exfiltration.

CVE-2025-9111 – WPBOT – Stored XSS – POC

CVE-2025-9111 – WPBOT – Stored XSS – POC

WPBot is a WordPress plugin that provides an AI-powered chatbot for websites, enabling live chat support, lead generation, and data collection. It integrates with OpenAI, ChatGPT, and other LLM services, while also offering built-in automated support without external AI dependencies.

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in WPBot Lite that allows users to inject malicious scripts via the FAQ Builder, affecting users with sufficient access (such as contributors or admins reviewing FAQs). This vulnerability can lead to account compromise, data exfiltration, and site takeover.

CVE-2025-8891 – OceanWP [THEME] – Cross-Site Request Forgery to Ocean Extra Plugin Installation – POC

CVE-2025-8891 – OceanWP [THEME] – Cross-Site Request Forgery to Ocean Extra Plugin Installation – POC

OceanWP is a widely adopted WordPress theme, boasting over 50,000 active installations thanks to its performance-optimized code and extensive customization options. To further extend its capabilities, it relies on a companion plugin, Ocean Extra, which adds demo import, custom widgets, and additional theme settings. However, a critical vulnerability—CVE-2025-8891—has been discovered: an unauthenticated Cross-Site Request Forgery (CSRF) flaw that allows any visitor to invoke the oceanwp_notice_button_click AJAX action. This function, when called, automatically installs or activates the Ocean Extra plugin, effectively granting low-privileged users the ability to install new code on the site without any consent or proper authorization checks.

CVE-2025-8595 – Zakra [THEME] – Missing Authorization to Subscriber+ Demo Import – POC

CVE-2025-8595 – Zakra [THEME] – Missing Authorization to Subscriber+ Demo Import – POC

The Zakra WordPress theme, installed on over 50,000 websites, provides a one-click demo import feature that streamlines site setup by loading predefined layouts, widgets, and content. However, a critical vulnerability—CVE-2025-8595—allows even low-privileged Subscriber+ users to invoke the demo import process via the import_button AJAX action. By exploiting a publicly exposed nonce, attackers can import arbitrary demo content, modify site configuration, or trigger long-running operations, thereby disrupting the site or preparing for further privilege escalations.

CVE-2025-6790 – Quiz And Survey Master (QSM) – Template Creation via CSRF – POC

CVE-2025-6790 – Quiz And Survey Master (QSM) – Template Creation via CSRF  – POC

Quiz And Survey Master (QSM) is a powerful WordPress plugin used to design and deploy quizzes, surveys, and assessments, with over 50,000 active installations. Despite its extensive use for educational and marketing purposes, a critical vulnerability—CVE-2025-6790—has been identified that permits unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) against its AJAX endpoint for quiz template creation. This flaw allows an attacker to inject arbitrary templates into the system, potentially enabling further administrative actions or content hijacking without requiring any valid credentials.

CVE-2025-8015 – Shortcodes Ultimate – Stored XSS (Author+) to Admin Account Creation – POC

CVE-2025-8015 – Shortcodes Ultimate – Stored XSS (Author+) to Admin Account Creation – POC

Shortcodes Ultimate is a ubiquitous WordPress plugin used by over 500,000 websites to effortlessly embed rich content—galleries, tabs, sliders—through simple shortcode syntax. While its drag-and-drop gallery builder and extensive shortcode library enhance user experience, a serious security flaw—CVE-2025-8015—has been discovered. This vulnerability permits an Author+ user to inject persistent JavaScript into gallery items (via image links or titles), which executes when administrators or other privileged users interact with the gallery. Ultimately, attackers can escalate privileges, create admin backdoors, and fully compromise the site.

CVE-2025-7369 – Shortcodes Ultimate – Unauthenticated Stored XSS via CSRF to Admin Account Creation – POC

CVE-2025-7369 – Shortcodes Ultimate – Unauthenticated Stored XSS via CSRF to Admin Account Creation – POC

The Shortcodes Ultimate plugin is a widely used WordPress toolkit, enabling site owners to add rich content elements—buttons, tabs, sliders—via simple shortcodes. With over 500,000 active installations, it is a go-to plugin for visual enhancements. However, a critical vulnerability, CVE-2025-7369, allows unauthenticated attackers to exploit a lack of CSRF protection on the plugin’s AJAX preview endpoint. By submitting a specially crafted form, an attacker can store malicious JavaScript in the database that executes in the administrator’s browser, opening the door to a full account-takeover backdoor.

CVE-2025-3414 – Structured Content <= 1.6.4 Contributor+ – Stored XSS to JS Backdoor Creation – POC

CVE-2025-3414 – Structured Content <= 1.6.4 Contributor+  – Stored XSS to JS Backdoor Creation – POC

The Structured Content plugin helps WordPress users enhance their pages with rich JSON-LD schema.org structured data elements. It allows for the insertion of components like FAQs, job postings, events, and more, with options to display the content as visible HTML or hidden machine-readable data.

However, in version 1.6.4 and below, a Stored Cross-Site Scripting (XSS) vulnerability was identified that allows users with Contributor privileges to inject malicious JavaScript via the “Additional CSS class(es)” field in FAQ blocks. This XSS payload is then persistently stored and can be executed when the HTML is rendered, leading to account compromise or further exploitation.