CVE-2025-11370 Overview
The Popup and Slider Builder by Depicter plugin for WordPress contains a missing capability check vulnerability in the store function of the RulesAjaxController class. This authorization bypass flaw affects all versions up to and including 4.0.7, allowing unauthenticated attackers to modify pop-up display settings without proper permission verification.
Critical Impact
Unauthenticated attackers can exploit this vulnerability to manipulate website pop-up configurations, potentially enabling phishing attacks, defacement, or unwanted content injection through modified display rules.
Affected Products
- Depicter – Popup and Slider Builder plugin for WordPress versions up to and including 4.0.7
- WordPress installations utilizing the vulnerable Depicter plugin
- Websites with exposed AJAX endpoints for the Depicter plugin
Discovery Timeline
- 2026-01-06 - CVE-2025-11370 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-11370
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a Broken Access Control flaw that occurs when the application fails to verify that a user has the necessary permissions before allowing access to sensitive functionality. The store function within the RulesAjaxController class lacks proper capability checks, meaning the endpoint processes requests from any user regardless of their authentication status or role.
In WordPress, capability checks are essential for ensuring that only authorized users (such as administrators) can modify plugin settings. The absence of such checks in this AJAX handler creates a direct path for unauthenticated users to alter how and when pop-ups are displayed on the affected website. This could be leveraged by attackers to inject malicious redirect rules, display fraudulent content, or disrupt normal site operations.
Root Cause
The root cause of this vulnerability is the missing implementation of WordPress capability verification functions (such as current_user_can()) in the store method of RulesAjaxController. Without this authorization layer, the AJAX endpoint processes all incoming requests without validating whether the requester has appropriate administrative privileges to modify pop-up rules.
Attack Vector
The vulnerability is exploitable via network access with no authentication required. An attacker can craft malicious HTTP requests to the vulnerable AJAX endpoint to modify pop-up display settings. The attack requires no user interaction and can be executed remotely. The exploitation flow involves sending specially crafted POST requests to the WordPress AJAX handler targeting the Depicter plugin's rule storage functionality.
Since no authentication is required, attackers can directly manipulate display rules that control when, where, and how pop-ups appear on the target website. This could be used to display phishing content, redirect users to malicious sites, or deface the website's user experience.
Detection Methods for CVE-2025-11370
Indicators of Compromise
- Unexpected modifications to Depicter pop-up display rules or settings
- Unusual AJAX requests targeting Depicter plugin endpoints in web server logs
- Changes to pop-up configurations without corresponding administrator activity
- New or modified pop-up content appearing on the website without authorized changes
Detection Strategies
- Monitor WordPress AJAX requests for unauthorized access attempts to RulesAjaxController endpoints
- Implement Web Application Firewall (WAF) rules to detect and block suspicious requests to Depicter plugin AJAX handlers
- Review web server access logs for patterns of unauthenticated requests targeting the plugin's store function
- Deploy file integrity monitoring to detect unauthorized changes to plugin configurations
Monitoring Recommendations
- Enable verbose logging for WordPress AJAX endpoints and review logs regularly
- Set up alerts for bulk or automated requests targeting plugin-specific AJAX actions
- Monitor database changes to Depicter plugin tables for unauthorized modifications
- Utilize security plugins that provide real-time threat detection for WordPress installations
How to Mitigate CVE-2025-11370
Immediate Actions Required
- Update the Depicter plugin to a version newer than 4.0.7 that includes the security patch
- Review Depicter pop-up rules and display settings for any unauthorized modifications
- Audit web server logs for signs of exploitation attempts
- Consider temporarily disabling the Depicter plugin if an update is not immediately available
Patch Information
A security fix has been released for this vulnerability. The patch adds proper capability checks to the store function in the RulesAjaxController class. The fix can be reviewed in the WordPress Plugin Changeset. Additional technical details are available in the Wordfence Vulnerability Report.
Workarounds
- Implement WAF rules to block unauthenticated requests to the vulnerable AJAX endpoints
- Restrict access to WordPress admin-ajax.php using server-level access controls if possible
- Use a security plugin with virtual patching capabilities to add authorization checks
- Temporarily disable the Depicter plugin until the official patch can be applied
# Example: Restrict AJAX access at the server level (Apache .htaccess)
# Add this to your WordPress root .htaccess file for temporary protection
<Files admin-ajax.php>
<RequireAny>
Require ip 127.0.0.1
Require ip YOUR_ADMIN_IP_ADDRESS
</RequireAny>
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
