Published On: Nov 26, 2025 09:28
Advisory No: TZCERT-SA-25-0124
Source: Wordfence
Software Affected: tnc-toolbox, easycommerce, holiday-class-post-calendar, cpi-wp-migration
WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute remote code.
WordPress plugins tnc-toolbox, easycommerce, holiday-class-post-calendar, and cpi-wp-migration are affected by the vulnerabilities tracked as CVE-2025-12539, CVE-2025-11457, CVE-2025-12813, and CVE-2025-11170 with CVSS scores of 10 and 9.8. The plugins are vulnerable due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the "Tnc_Wp_Toolbox_Settings::save_settings" function, the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration, a lack of sanitization of user-supplied data when creating a cache file, and missing file type validation in the Cpiwm_Import_Controller::import function. Successful exploitation of this vulnerability allows unauthenticated attackers to gain administrator-level access to a vulnerable site, arbitrary file uploads, remote code execution, and full compromise of the hosting environment.
Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
