CVE

CVE-2025-12971 affects the WordPress plugin “Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager” (plugin slug: folders), which is widely deployed and reported at roughly 90,000+ active installations in the WordPress.org ecosystem (often referenced as “100k+” in rounded terms). The vulnerability is an incorrect authorization / object-level access control failure in AJAX handlers used to assign “folder” taxonomy terms to posts and pages. In effect, a low-privileged authenticated user can modify folder assignments on content they do not own by directly calling the AJAX endpoints with a victim post_id, bypassing the normal WordPress UI restrictions that would otherwise block edits to another author’s post.

CVE-2025-10476 affects the WordPress plugin WP Fastest Cache (WordPress.org lists 1+ million active installations) and is an authorization flaw in an authenticated AJAX endpoint that can be abused by any logged-in user (Subscriber+) to trigger destructive “database cleanup / fix” operations. The security impact is not theoretical: the affected action can delete content history (revisions), remove trashed items, wipe spam/trashed comments, and clear transient data—changes that directly degrade integrity and availability and can create visible outages or operational disruption until administrators restore content or caches rebuild.

CVE-2025-13558 affects the WordPress plugin “Blog2Social: Social Media Auto Post & Scheduler” (commonly referenced as Blog2Social) and represents a classic object-level authorization failure where an authenticated user can trigger a destructive action against content they do not own. According to the public CVE description, all versions up to and including 8.7.0 are impacted, and the practical outcome is that a low-privileged authenticated account (Subscriber and above) can change the status of arbitrary posts to “trash,” resulting in immediate, user-visible disappearance of published content and disruption of editorial operations. The plugin’s footprint is non-trivial—WordPress.org reports “Active installations 50,000+,” which makes authorization regressions of this kind especially consequential in real deployments where Subscriber accounts exist for memberships, customers, forums, or gated content.

CVE-2023-49282 is an information disclosure issue that can surface in real WordPress environments when third-party dependencies ship test artifacts inside production packages and the hosting setup permits direct web access to those files. In the Amelia Booking plugin (“ameliabooking”), the Microsoft Graph PHP SDK is bundled under vendor/, and that SDK historically included a test script named tests/GetPhpInfo.php that calls phpinfo() unconditionally; if a site’s web server allows requests into the plugin’s dependency tree, an unauthenticated visitor can retrieve a full phpinfo() page from a predictable URL path. The underlying weakness described in public advisories is specifically the presence of this callable test code at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php, and exploitation depends on the application being able to access and execute that path from the web layer.

Responsive Lightbox & Gallery is a widely used WordPress plugin (100k+ installs) that enhances galleries and lightboxes, including support for remote images and “remote library” content blocks. As part of rendering gallery items, the plugin attempts to determine image dimensions (width/height) server-side when those values are missing or when an item is stored as a plain URL. During testing, we identified CVE-2025-12359, an authenticated SSRF vulnerability exploitable by Author+ users who can create or edit gallery content. By supplying an attacker-controlled URL, the plugin causes the WordPress server to initiate outbound requests to arbitrary internal or external addresses—including 127.0.0.1, RFC1918 networks, and potentially cloud metadata endpoints—without allow-listing, private-range blocking, or redirect safeguards.

WP Migrate Lite (≈200k+ installs) is a widely used WordPress migration plugin designed to synchronize databases and media between sites. Migration workflows often require remote communication between WordPress instances, which makes request-handling logic highly sensitive to authentication, nonce validation, and strict URL allow-listing. In WP Migrate Lite 2.7.5, we identified CVE-2025-11427, an unauthenticated blind Server-Side Request Forgery (SSRF) vulnerability reachable through a publicly exposed AJAX endpoint. By sending crafted parameters to admin-ajax.php?action=wpmdb_flush without any WordPress cookies, an attacker can coerce the WordPress server into issuing a backend wp_remote_post() request to an arbitrary host, including internal services on 127.0.0.1, RFC1918 networks, or cloud metadata endpoints—enabling internal probing, service interaction, and potential chained compromise.

Modula – Image Gallery (Photo Grid & Video Gallery) is a widely deployed WordPress gallery plugin (100k+ installs) used to build responsive image grids and media galleries. It includes an “import file” feature to bring images into the Media Library. During testing, we identified CVE-2025-12494, a high-impact improper authorization / unsafe file operation vulnerability: an Author+ user can supply a filesystem path to a local image and—when delete_files=true—cause WordPress’ media_handle_sideload() pipeline to move (not copy) that file into uploads, effectively removing the original asset from its source location. Because the endpoint does not enforce a base-directory allowlist (no realpath() prefix check), attackers can target application assets such as theme images, plugin graphics, or other local files readable/writable by PHP, resulting in content integrity loss and site destabilization.

Envira Gallery Lite is a popular WordPress gallery plugin with 100k+ installs, commonly used to build image galleries as a custom post type (envira). Galleries are frequently curated for portfolios, product pages, and editorial content, making integrity of gallery composition important. CVE-2025-12377 describes an incorrect authorization flaw in the AJAX image removal workflow: instead of enforcing object-level permissions on the target gallery, the handler accepts only the broad edit_posts capability. This means any user who can edit their own posts (e.g., Author) can tamper with any Envira gallery by removing images from it—without owning the gallery—resulting in visual defacement and content integrity loss.

Orbit Fox Companion is a widely deployed WordPress plugin (100k+ installs) that adds extra widgets and extensions for popular builders, including Elementor. These widgets are often used to create dynamic front-end components such as post grids, cards, and metadata sections. During testing,

Depicter is a popular WordPress slider and content presentation plugin with 100k+ active installations. It allows administrators and editors to create dynamic documents (sliders, popups, content blocks) and define display rules that control where and how content is shown. During testing, we discovered CVE-2025-8383,