Category: security

  • CVE-2025-14506: Analysis of Stored Cross-Site Scripting in ConvertForce Popup Builder <= 0.0.7 (WordPress Plugin)

    Overview Description (based on CVE.org): The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block’s entrance_animation attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to…

  • Understanding XML-RPC in WordPress: Abuse, Detection, and Protection

    Introduction XML-RPC has been part of WordPress core for many years. It is enabled by default and provides a remote interface that allows external clients to interact with a WordPress site programmatically. Despite this, XML-RPC is frequently treated as if it were a vulnerability. Many security guides recommend disabling it outright, and automated scanners often…

  • CVE-2025-13801: Analysis of Unauthenticated Arbitrary File Read in Yoco Payments <= 3.8.8 (WordPress Plugin)

    Overview Description (based on CVE.org): The Yoco Payments plugin for WordPress contains a path traversal vulnerability affecting all versions up to and including 3.8.8. This issue allows unauthenticated attackers to read arbitrary files from the server filesystem, which may result in the disclosure of sensitive information. Vulnerability Software: Yoco Payments Type: WordPress Plugin Affected Versions:…

  • CVE-2025-13820: Analysis of Privilege Escalation in wpDiscuz < 7.6.40 (WordPress Plugin)

    Privilege Escalation Overview CVE-2025-13820 is a critical vulnerability in the WordPress plugin wpDiscuz versions prior to 7.6.40 that allows unauthenticated attackers to escalate privileges via the Disqus OAuth integration, resulting in full account takeover on the affected WordPress site. Vulnerability Software: wpDiscuz Type: WordPress Plugin Affected Versions: < 7.6.40 Affected Component: Social Login (Disqus OAuth…