CVE-2025-12539
Published: 11 November 2025
Summary
CVE-2025-12539 is a critical-severity Insecure Storage of Sensitive Information (CWE-922) vulnerability in Wordfence (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-12 (Information Location).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-22 requires controlling and reviewing publicly accessible content to ensure sensitive information like cPanel credentials is not exposed in web-accessible directories such as wp-content.
SC-28 mandates protection of the confidentiality of information at rest, preventing plaintext storage of cPanel API credentials in files that could be accessed by attackers.
CM-12 requires identifying locations of sensitive information like stored cPanel credentials and implementing protections to prevent their exposure in web-accessible paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing WordPress application (T1190) through unauthenticated access to plain-text files containing cPanel API credentials, directly facilitating unsecured credentials in files (T1552.001).
NVD Description
The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within…
more
the web-accessible wp-content directory without adequate protection in the "Tnc_Wp_Toolbox_Settings::save_settings" function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment.
Deeper analysisAI
CVE-2025-12539 is a sensitive information exposure vulnerability in the TNC Toolbox: Web Performance plugin for WordPress, affecting all versions up to and including 1.4.2. The issue arises in the "Tnc_Wp_Toolbox_Settings::save_settings" function, which stores cPanel API credentials—including hostname, username, and API key—in files within the web-accessible wp-content directory without adequate protection. This exposure has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is linked to CWE-922.
Unauthenticated attackers can exploit this vulnerability by directly accessing the exposed files to retrieve the cPanel credentials. Armed with these details, attackers can interact with the cPanel API to perform actions such as arbitrary file uploads, remote code execution, and full compromise of the hosting environment.
Advisories reference a fix in the GitHub commit at https://github.com/The-Network-Crew/TNC-Toolbox-for-WordPress/commit/31bb3040b22c84e2d6dfd3210fe0ad045ff4ddf6. Additional threat intelligence is provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve.
Details
- CWE(s)