{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11373", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-06T15:02:09.683Z", "datePublished": "2025-11-05T06:35:00.978Z", "dateUpdated": "2026-04-08T17:15:19.935Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:19.935Z"}, "affected": [{"vendor": "averta", "product": "Depicter \u2014 Popup & Slider Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Popup and Slider Builder by Depicter \u2013 Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the \"depicter-media-upload\" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server."}], "title": "Popup and Slider Builder by Depicter \u2013 Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae23f287-e4bb-4f97-aebe-18b6d7ad4e58?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/Middleware/CsrfAPIMiddleware.php#L51"}, {"url": "https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/WordPress/FileUploaderService.php#L9"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3384613%40depicter&old=3313042%40depicter&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-09-17T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-07T11:18:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-04T17:49:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-05T14:24:04.782602Z", "id": "CVE-2025-11373", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:24:11.253Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11373", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-05T14:24:04.782602Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-05T14:24:08.006Z"}}], "cna": {"title": "Popup and Slider Builder by Depicter \u2013 Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "averta", "product": "Depicter \u2014 Popup & Slider Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-17T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-07T11:18:32.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-04T17:49:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae23f287-e4bb-4f97-aebe-18b6d7ad4e58?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/Middleware/CsrfAPIMiddleware.php#L51"}, {"url": "https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/WordPress/FileUploaderService.php#L9"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3384613%40depicter&old=3313042%40depicter&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Popup and Slider Builder by Depicter \u2013 Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the \"depicter-media-upload\" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:19.935Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11373", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:15:19.935Z", "dateReserved": "2025-10-06T15:02:09.683Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-05T06:35:00.978Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Popup and Slider Builder by Depicter \u2013 Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the \"depicter-media-upload\" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server."}], "id": "CVE-2025-11373", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-05T07:15:31.653", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/Middleware/CsrfAPIMiddleware.php#L51"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/WordPress/FileUploaderService.php#L9"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3384613%40depicter&old=3313042%40depicter&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae23f287-e4bb-4f97-aebe-18b6d7ad4e58?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:51:38.599120+00:00", "value": {"mitigation_remediation": ["Update the Depicter \u2013 Popup & Slider Builder plugin to the latest available revision to ensure the missing capability checks are restored.", "Limit or remove Contributor-level permissions on sites that do not require that role, thereby reducing the attacker set.", "Configure server\u2011side validation or use the WordPress media library restrictperms setting to restrict the types of files that can be uploaded, ensuring only allowed file extensions and MIME types are accepted."], "summary": {"action": "Immediate Update", "impact": "Unauthorized File Upload by Contributors"}, "threat_synthesis": {"affected_systems": "All installations of the Depicter \u2013 Popup & Slider Builder plugin from Averta with versions 4.0.4 and earlier are affected. The vulnerability is present in the \"depicter-media-upload\" AJAX route used for uploading media items such as images and other files. Users of newer releases (4.0.5 and above) are not impacted because the patch was applied after the public release of the version at issue.", "description_and_impact": "The Depicter \u2013 Popup & Slider Builder plugin for WordPress allows authenticated users with Contributor-level access to upload files through a specific AJAX endpoint because the code lacks proper capability checks. The files that can be uploaded are limited to certain safe file types, yet an attacker could still use them to host malicious content or compromise the site\u2019s media library. This flaw does not grant arbitrary code execution outright, but it gives the attacker a foothold for content injection or further attacks if additional vulnerabilities exist. The absence of authorization controls is a classic access\u2011control weakness, as identified by CWE\u2011862. This scenario can lead to unintended breakdown of confidentiality or integrity of the site\u2019s data, and may open doors for phishing or defacement if a malicious file is placed in a public directory.", "risk_and_exploitability": "With a CVSS score of 4.3, the severity is moderate, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The flaw is not listed in CISA\u2019s KEV catalog. Because the control missing is an authorization check, any user who has been granted Contributor (or higher) permissions on a WordPress site can exploit the upload feature. While the attack vector requires the attacker to be an authenticated user with at least Contributor privileges, that role is often granted to many collaborators. If a site\u2019s Contributor users are abused, the attacker could place spoofed images or other content that could trick visitors or create brand damage. The risk is amplified where such roles are widely distributed and where the site relies on uploaded media for public display."}}}}, "created": "2025-11-06T10:07:14.620756+00:00", "updated": "2026-04-21T02:00:12.296289+00:00", "vendors": ["averta", "averta$PRODUCT$slider_and_popup_builder_by_depicter", "wordpress", "wordpress$PRODUCT$wordpress"]}