CVE

WordPress plugins that enhance user experience often expose administrative configuration fields that directly influence frontend rendering. When these fields are not properly sanitized, they can become a serious attack surface. CVE-2026-2687 affects the Reading Progressbar plugin, a lightweight tool that displays a reading progress indicator using an HTML5 element and JavaScript.

A stored Cross-Site Scripting (XSS) vulnerability was identified in the plugin’s settings panel, allowing an attacker to inject malicious JavaScript that is permanently stored and later executed in visitors’ or administrators’ browsers. This flaw can be leveraged to compromise administrator sessions, inject backdoors, or fully take over affected WordPress sites.

CVE-2025-14371 affects TaxoPress and it breaks a core WordPress safety boundary where a user may have access to an editor feature but should not be able to change content they cannot edit. The vulnerability allows any authenticated user who is permitted to use the TaxoPress AI metabox, typically Contributor or Author and above, to add or remove tags on posts they do not own by supplying a victim post ID. This becomes a direct content integrity issue because tags and other taxonomy terms drive search relevance, internal navigation, feeds, and SEO surfaces, meaning a low privilege account can silently reshape how content is discovered even when the same user cannot open the post editor for the target post. Install base is significant at 50k plus, so multi author environments where Contributors exist are realistic targets rather than edge cases.

CVE-2025-14163 is a Cross Site Request Forgery weakness in Premium Addons for Elementor that turns a normal authenticated workflow into a silent action a victim performs on an attacker’s behalf. The core problem is simple but dangerous in real operations a logged in user can be tricked into creating a new Elementor template without clicking anything and without seeing a warning, because the plugin’s AJAX action accepts a state changing request that lacks any CSRF protection. Even though the action requires a user who has edit_posts, that still covers a wide range of common roles on real sites such as Author and Editor, which means this is not limited to administrators and can be triggered against typical editorial staff who routinely browse the web while logged in.

CVE-2025-14155 is an unauthenticated information disclosure vulnerability in Premium Addons for Elementor – Powerful Elementor Templates & Widgets, where an external attacker can retrieve the rendered HTML of Elementor templates that were never meant to be publicly readable. The National Vulnerability Database (NVD) describes the root cause as a missing capability check in the plugin’s get_template_content function, enabling unauthenticated attackers to view the contents of private, draft, and pending templates in all versions up to and including 4.11.53. This matters in real deployments because Elementor templates often contain unpublished landing pages, internal copy, experiment variants, marketing plans, gated offers, or “coming soon” pages that site owners assume are only visible inside the editor/dashboard until explicitly published or embedded.

CVE-2025-11369 impacts the WordPress plugin Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns (“Essential Blocks”) and is a classic Missing / Incorrect Capability Check issue that results in unauthorized access to sensitive configuration data. The vulnerability allows authenticated users with Author-level access and above to retrieve API keys and tokens configured for external services, because several plugin entry points validate only a weak or incorrect permission boundary rather than a strict administrative capability. NVD summarizes the root cause precisely: missing or incorrect capability checks in functions associated with Instagram, Google Maps, and site info retrieval in all versions up to and including 5.7.2, enabling authenticated Author+ users to view API keys for external services. Because Essential Blocks has a large deployment footprint (200,000+ active installations on WordPress.org), the real-world impact is not niche—multi-author sites that grant Author roles routinely (editors, guest authors, content teams) are exactly the environments where this exposure becomes operationally relevant.

CVE-2025-13794 is an Incorrect Authorization / Missing Authorization (CWE-862) vulnerability in the WordPress plugin Auto Featured Image (Auto Post Thumbnail) that breaks WordPress’ object-level access control for post thumbnails when bulk actions are used from the Posts list screen. The vulnerability affects all versions up to and including 4.2.1, and it allows authenticated attackers with Contributor-level access or higher to delete or generate featured images on posts they do not own, effectively enabling cross-user content tampering without the normal “can you edit this specific post?” gate. Because the plugin is widely deployed (WordPress.org shows 50,000+ active installations), this kind of low-privilege workflow bypass has real operational impact on multi-author sites, editorial teams, and any WordPress environment that relies on role separation to protect content integrity.

CVE-2025-15527 is an information exposure vulnerability in the WordPress plugin WP Recipe Maker that breaks WordPress’ expected post privacy model for low-privileged editorial accounts. The core issue is a REST API endpoint that returns post metadata for any arbitrary post ID, while authorizing access using a broad capability check (edit_posts) rather than an object-level read permission check tied to the specific post being requested. In affected versions up to and including 10.2.2, this enables authenticated users with Contributor-level access and above to retrieve the title and featured image URL of posts they should not be able to view, including draft, private, and password-protected posts owned by other users.

CVE-2025-10583 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in the WordPress plugin WP Fastest Cache, affecting versions up to and including 1.7.4 according to the NVD record. What makes this issue especially operationally relevant is the plugin’s adoption: the WordPress.org listing shows 1+ million active installations, so any low-privilege-to-network-recon bug has immediate “real internet” consequences across a large attack surface. The core impact is not a direct data exfiltration primitive by itself, but rather a reliable way for a low-privileged authenticated user to coerce the server into making outbound connections, which can be weaponized for internal network discovery, firewall bypass, and chaining into higher-impact compromises.

CVE-2025-13891 impacts the WordPress plugin Image Gallery – Photo Grid & Video Gallery (Modula) and is a path traversal / directory enumeration weakness in the plugin’s “file browser” AJAX functionality. The public CVE records describe that all versions up to and including 2.13.3 are affected, and that the vulnerable AJAX endpoint is modula_list_folders, which accepts a user-supplied directory path and fails to enforce a safe base directory restriction, enabling an authenticated user to enumerate arbitrary server directories.

CVE-2025-13620 affects the WordPress plugin “Wp Social Login and Register Social Counter” (plugin: wp-social) and is a Missing Authorization / Improper Authorization issue in multiple REST API routes that are exposed without authentication. The vulnerability is caused by REST routes being registered with permission_callback set to __return_true, combined with handlers that perform state-changing cache operations without any capability check or nonce validation. As a result, an unauthenticated attacker can clear and overwrite the plugin’s cached social counter values (notably Instagram), which directly influences the front-end widget output and can be abused to display incorrect follower counts or otherwise disrupt the counter feature.