Cyber Resilience

CVE-2025-10896

High

Published: 04 November 2025

Published
04 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0062 70.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10896 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-10896 is an unrestricted upload of file with dangerous type vulnerability affecting multiple WordPress plugins that incorporate the Jewel Theme Recommended Plugins Library, in all versions up to and including 1.0.2.3. The issue stems from missing capability checks in the '*_recommended_upgrade_plugin' function, which permits the installation of arbitrary plugin URLs. Specific affected plugins include image-hover-effects-elementor-addon, as evidenced by code in Libs/Assets.php, Libs/Recommended.php, and related changesets. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862 (Missing Authorization).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability by supplying a crafted plugin URL to the affected function, enabling the upload of arbitrary plugin packages directly to the WordPress site's server. Successful exploitation may lead to remote code execution, as the uploaded plugins can contain malicious code that executes with the privileges of the web server process.

References to WordPress plugin trac repositories indicate mitigation through code changes in specific changesets, such as 3384308 for image-hover-effects-elementor-addon and 3389322 for image-comparison-elementor-addon, which likely address the missing capability checks in the recommended plugin functions. Security practitioners should update to patched versions of affected plugins beyond 1.0.2.3 and review sites using the Jewel Theme Recommended Plugins Library for unauthorized plugins.

EU & UK References

Vulnerability details

Multiple plugins for WordPress with the Jewel Theme Recommended Plugins Library are vulnerable to Unrestricted Upload of File with Dangerous Type via arbitrary plugin installation in all versions up to, and including, 1.0.2.3. This is due to missing capability checks…

more

on the '*_recommended_upgrade_plugin' function which allows arbitrary plugin URLs to be installed. This makes it possible for authenticated attackers with subscriber-level access and above to upload arbitrary plugin packages to the affected site's server via a crafted plugin URL, which may make remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables authenticated low-privilege attackers to upload arbitrary malicious plugin packages to a public-facing WordPress application, resulting in remote code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent subscriber-level users from accessing plugin installation functions missing capability checks.

prevent

Requires enforcement of approved authorizations, directly addressing the missing capability checks in the '*_recommended_upgrade_plugin' function.

prevent

Restricts user-installed software to block arbitrary plugin package uploads via crafted URLs in affected WordPress plugins.

References