WordPress Plugin Vulnerabilities

Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel < 4.0.5 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload

Description

The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the "depicter-media-upload" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server.

Affects Plugins

Plugin icon
depicter
Fixed in 4.0.5

References

CVE
CVE-2025-11373
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ae23f287-e4bb-4f97-aebe-18b6d7ad4e58

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
b440ddc5-ee53-428a-8286-eda63a08c0fd

Timeline

Publicly Published
2025-11-04 (about 6 months ago)
Added
2025-11-04 (about 6 months ago)
Last Updated
2025-11-05 (about 6 months ago)

Other

Published
Title
Published
2026-04-16
Title
Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification
Published
2025-10-14
Title
Library Management System < 3.2 - Missing Authorization to Authenticated (Subscriber+) Settings Manipulation
Published
2023-10-24
Title
WP EXtra < 6.3 - Subscriber+ .htaccess File Modification
Published
2025-02-24
Title
Private Content <= 8.11.5 - Missing Authorization
Published
2022-01-17
Title
PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS