Vulnerability Description
The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the "Tnc_Wp_Toolbox_Settings::save_settings" function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/The-Network-Crew/TNC-Toolbox-for-WordPress/commit/31bb3040b22
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be6
FAQ
What is CVE-2025-12539?
CVE-2025-12539 is a vulnerability with a CVSS score of 10.0 (CRITICAL). The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credenti...
How severe is CVE-2025-12539?
CVE-2025-12539 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-12539?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.