CVE-2025-11373

low-risk

Published 2025-11-05

The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the "depicter-media-upload" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

References (4)

https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/Middlewar...

https://plugins.trac.wordpress.org/browser/depicter/tags/4.0.4/app/src/WordPress...

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...

https://www.wordfence.com/threat-intel/vulnerabilities/id/ae23f287-e4bb-4f97-aeb...

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal