CVE-2025-11370
📋 TL;DR
This vulnerability allows unauthenticated attackers to modify pop-up display settings in WordPress sites using the Depicter plugin. All WordPress installations with Depicter plugin versions up to 4.0.7 are affected. Attackers can change how pop-ups appear without needing any login credentials.
💻 Affected Systems
- Popup and Slider Builder by Depicter WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify pop-ups to display malicious content, redirect users to phishing sites, or hide legitimate content while showing deceptive messages.
Likely Case
Attackers will modify pop-up settings to display unwanted advertisements, redirect users to affiliate sites, or show misleading content for click fraud.
If Mitigated
With proper monitoring, changes would be detected quickly and could be reverted, but some users might still see malicious content before detection.
🎯 Exploit Status
Public proof-of-concept code exists showing how to exploit this vulnerability without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3428118/depicter/trunk/app/routes/ajax.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Popup and Slider Builder by Depicter'. 4. Click 'Update Now' if available. 5. If no update shows, download version 4.0.8+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable Depicter Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate depicter
Restrict AJAX Endpoint Access
linuxBlock access to the vulnerable AJAX endpoint via web server configuration
# Apache: <LocationMatch "\/wp-content\/plugins\/depicter.*ajax">\n Order deny,allow\n Deny from all\n</LocationMatch>
# Nginx: location ~* \/wp-content\/plugins\/depicter.*ajax {\n deny all;\n}
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to /wp-content/plugins/depicter/*ajax endpoints
- Monitor WordPress logs for unauthorized POST requests to Depicter AJAX endpoints and alert on suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Depicter version. If version is 4.0.7 or lower, you are vulnerable.Check Version:
wp plugin get depicter --field=versionVerify Fix Applied:
After updating, verify Depicter plugin shows version 4.0.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-content/plugins/depicter/*ajax endpoints from unauthenticated users
- Multiple rapid requests to Depicter AJAX endpoints
Network Indicators:
- Unusual POST requests to WordPress AJAX endpoints without authentication headers
- Traffic patterns showing exploitation attempts against /wp-admin/admin-ajax.php with depicter parameters
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "depicter" AND NOT user_agent CONTAINS "wp-admin")🔗 References
- https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/RulesAjaxController.php
- https://github.com/nguy3nB4oo11/depicter-vuln-repro/blob/main/ajax.php
- https://plugins.trac.wordpress.org/changeset/3428118/depicter/trunk/app/routes/ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d35faf39-4882-4393-9b77-57dc45ac9d04?source=cve
