WordPress Plugin Vulnerabilities

YML for Yandex Market < 5.0.26 - Shop Manager+ RCE via Feed Generation

Description

The plugin is vulnerable to Remote Code Execution via the feed generation process.

Proof of Concept

Affects Plugins

Plugin icon
yml-for-yandex-market
Fixed in 5.0.26

References

CVE
CVE-2025-14545

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Alex Tselevich (nos3curity)
Submitter
Alex Tselevich (nos3curity)
Submitter website
https://nosecurity.blog
Submitter twitter
nos3curity
Verified
Yes
WPVDB ID
9bb1a4ca-976c-461d-82de-8a3b04a56fbc

Timeline

Publicly Published
2026-03-19 (about 21 days ago)
Added
2026-03-12 (about 28 days ago)
Last Updated
2026-03-12 (about 28 days ago)

Other

Published
Title
Published
2025-08-03
Title
Javo Core <= 3.0.0.266 - Unauthenticated Remote Code Execution
Published
2024-05-03
Title
WordPress Meta Data and Taxonomies Filter (MDTF) < 1.3.3.3 - Unauthenticated Arbitrary Shortcode Execution
Published
2022-07-01
Title
WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
Published
2014-08-01
Title
DZS Video Gallery - upload.php File Upload Remote Code Execution
Published
2023-09-26
Title
Ni Purchase Order(PO) For WooCommerce < 1.2.2 - Admin+ File Upload to Remote Code Execution