CVE-2025-10896
📋 TL;DR
This vulnerability allows authenticated WordPress users with subscriber-level access or higher to install arbitrary plugin packages from crafted URLs, bypassing security controls. Attackers can upload malicious plugins leading to remote code execution. All WordPress sites using affected Jewel Theme Recommended Plugins Library versions are vulnerable.
💻 Affected Systems
- WordPress plugins using Jewel Theme Recommended Plugins Library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full site compromise via remote code execution, allowing attackers to deface websites, steal data, install backdoors, or pivot to other systems.
Likely Case
Attackers upload malicious plugins to gain administrative access, modify content, or deploy cryptocurrency miners.
If Mitigated
With proper access controls and monitoring, unauthorized plugin installations would be detected and blocked before execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.0.2.3
Restart Required: No
Instructions:
1. Update all affected plugins to latest versions. 2. Verify plugins no longer use vulnerable library version. 3. Test site functionality after updates.
🔧 Temporary Workarounds
Remove vulnerable plugins
allTemporarily disable or remove affected plugins until patches are available
wp plugin deactivate [plugin-name]
wp plugin delete [plugin-name]
Restrict user capabilities
allRemove plugin installation capabilities from subscriber and other non-admin roles
wp role reset subscriber
wp cap remove subscriber install_plugins
🧯 If You Can't Patch
- Implement web application firewall rules to block plugin installation requests from non-admin users
- Enable strict file upload validation and monitoring for unauthorized plugin files
🔍 How to Verify
Check if Vulnerable:
Check if any installed plugins contain 'Jewel Theme Recommended Plugins Library' files with version 1.0.2.3 or earlierCheck Version:
wp plugin list --fields=name,version | grep -i jewelVerify Fix Applied:
Verify plugin files no longer contain the vulnerable *_recommended_upgrade_plugin function or have proper capability checks📡 Detection & Monitoring
Log Indicators:
- Unauthorized plugin installation attempts
- HTTP POST requests to plugin installation endpoints from non-admin users
- Unexpected plugin activation events
Network Indicators:
- Outbound connections to suspicious plugin repositories
- Unusual file upload patterns to wp-content/plugins/
SIEM Query:
source="wordpress" AND (event="plugin_installed" OR event="plugin_activated") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/image-hover-effects-elementor-addon/tags/1.0.2.3/Libs/Assets.php#L70
- https://plugins.trac.wordpress.org/browser/image-hover-effects-elementor-addon/tags/1.0.2.3/Libs/Recommended.php#L334
- https://plugins.trac.wordpress.org/browser/image-hover-effects-elementor-addon/tags/1.0.2.3/Libs/Recommended.php#L43
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3384308%40image-hover-effects-elementor-addon&new=3384308%40image-hover-effects-elementor-addon
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0ff3a292-3924-4823-867a-fedb2c1cdd00?source=cve
