CVE-2025-11373
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to upload arbitrary files to affected servers due to missing capability checks in the Depicter plugin. Attackers can upload limited file types, potentially leading to server compromise. All WordPress sites using Depicter plugin versions up to 4.0.4 are affected.
💻 Affected Systems
- Popup and Slider Builder by Depicter WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers upload malicious PHP files and achieve remote code execution, gaining full control of the WordPress server.
Likely Case
Attackers upload web shells or malicious scripts to deface websites, steal data, or establish persistence.
If Mitigated
With proper file type restrictions and server hardening, attackers can only upload harmless file types.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability is in a public AJAX endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.5 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3384613%40depicter&old=3313042%40depicter&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Popup and Slider Builder by Depicter'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 4.0.5+ from WordPress.org and manually replace plugin files.
🔧 Temporary Workarounds
Disable Depicter plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate depicter
Restrict user roles
allRemove Contributor and higher roles from untrusted users
🧯 If You Can't Patch
- Implement web application firewall rules to block requests to /wp-admin/admin-ajax.php with action=depicter-media-upload
- Configure server to prevent execution of uploaded files in wp-content/uploads/depicter directory
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Depicter version. If version is 4.0.4 or lower, system is vulnerable.Check Version:
wp plugin get depicter --field=versionVerify Fix Applied:
Verify Depicter plugin version is 4.0.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=depicter-media-upload from single user
- File uploads to wp-content/uploads/depicter/ directory with suspicious extensions
Network Indicators:
- Unusual traffic patterns to admin-ajax.php endpoint
- Uploads of non-image files to Depicter media endpoints
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "depicter-media-upload" AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/Middleware/CsrfAPIMiddleware.php#L51
- https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/WordPress/FileUploaderService.php#L9
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3384613%40depicter&old=3313042%40depicter&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ae23f287-e4bb-4f97-aebe-18b6d7ad4e58?source=cve
