CVE-2025-10896 Multiple Plugins <= Multiple Versions - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Upload

🗓️ 04 Nov 2025 04:27:13Reported by WordfenceType

CVE-2025-10896: Subscribers can upload arbitrary plugins via unsafe upgrade function in Jewel Theme library.

Reporter	Title	Published	Views	Family All 13
Circl	CVE-2025-10896	4 Nov 202507:42	–	circl
CNNVD	WordPress plugin多款产品安全漏洞	4 Nov 202500:00	–	cnnvd
CVE	CVE-2025-10896	4 Nov 202504:27	–	cve
EUVD	EUVD-2025-37604	4 Nov 202504:27	–	euvd
NVD	CVE-2025-10896	4 Nov 202505:15	–	nvd
Patchstack	WordPress Master Blocks plugin <= 1.4.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Upload vulnerability	4 Nov 202512:39	–	patchstack
Patchstack	WordPress Image Hover Effects for Elementor plugin <= 1.0.2.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Upload vulnerability	4 Nov 202512:38	–	patchstack
Patchstack	WordPress Image Comparison Addon for Elementor plugin <= 1.0.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Upload vulnerability	4 Nov 202512:36	–	patchstack
Patchstack	WordPress Content Locker for Elementor plugin <= 1.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Upload vulnerability	4 Nov 202508:35	–	patchstack
Positive Technologies	PT-2025-44934	4 Nov 202500:00	–	ptsecurity

[
  {
    "vendor": "litonice13",
    "product": "Image Comparison Addon for Elementor",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "1.0.2.2",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "litonice13",
    "product": "Image Hover Effects for Elementor",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "1.0.2.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "litonice13",
    "product": "Content Locker for Elementor",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "1.0.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "litonice13",
    "product": "Master Blocks – Ultimate Gutenberg Blocks for Marketers",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "1.4.1.3",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/changeset
plugins	www.plugins.trac.wordpress.org/browser/image-hover-effects-elementor-addon/tags/1.0.2.3/Libs/Recommended.php
plugins	www.plugins.trac.wordpress.org/changeset
plugins	www.plugins.trac.wordpress.org/changeset
plugins	www.plugins.trac.wordpress.org/browser/image-hover-effects-elementor-addon/tags/1.0.2.3/Libs/Recommended.php
plugins	www.plugins.trac.wordpress.org/changeset
plugins	www.plugins.trac.wordpress.org/browser/image-hover-effects-elementor-addon/tags/1.0.2.3/Libs/Assets.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/0ff3a292-3924-4823-867a-fedb2c1cdd00

08 Apr 2026 16:35Current

CVSS 3.18.8

EPSS0.00534

CWE-862