CVE-2025-10896
Published: 04 November 2025
Summary
CVE-2025-10896 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-10896 is an unrestricted upload of file with dangerous type vulnerability affecting multiple WordPress plugins that incorporate the Jewel Theme Recommended Plugins Library, in all versions up to and including 1.0.2.3. The issue stems from missing capability checks in the '*_recommended_upgrade_plugin' function, which permits the installation of arbitrary plugin URLs. Specific affected plugins include image-hover-effects-elementor-addon, as evidenced by code in Libs/Assets.php, Libs/Recommended.php, and related changesets. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862 (Missing Authorization).
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability by supplying a crafted plugin URL to the affected function, enabling the upload of arbitrary plugin packages directly to the WordPress site's server. Successful exploitation may lead to remote code execution, as the uploaded plugins can contain malicious code that executes with the privileges of the web server process.
References to WordPress plugin trac repositories indicate mitigation through code changes in specific changesets, such as 3384308 for image-hover-effects-elementor-addon and 3389322 for image-comparison-elementor-addon, which likely address the missing capability checks in the recommended plugin functions. Security practitioners should update to patched versions of affected plugins beyond 1.0.2.3 and review sites using the Jewel Theme Recommended Plugins Library for unauthorized plugins.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37604
Vulnerability details
Multiple plugins for WordPress with the Jewel Theme Recommended Plugins Library are vulnerable to Unrestricted Upload of File with Dangerous Type via arbitrary plugin installation in all versions up to, and including, 1.0.2.3. This is due to missing capability checks…
more
on the '*_recommended_upgrade_plugin' function which allows arbitrary plugin URLs to be installed. This makes it possible for authenticated attackers with subscriber-level access and above to upload arbitrary plugin packages to the affected site's server via a crafted plugin URL, which may make remote code execution possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables authenticated low-privilege attackers to upload arbitrary malicious plugin packages to a public-facing WordPress application, resulting in remote code execution, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces least privilege to prevent subscriber-level users from accessing plugin installation functions missing capability checks.
Requires enforcement of approved authorizations, directly addressing the missing capability checks in the '*_recommended_upgrade_plugin' function.
Restricts user-installed software to block arbitrary plugin package uploads via crafted URLs in affected WordPress plugins.