Unrestricted File Upload Vulnerability in WordPress Plugins by Jewel Theme
CVE-2025-10896

8.8HIGH

Key Information:

Vendor: WordPress
Status: Master Blocks – Ultimate Gutenberg Blocks For Marketers; Image Comparison Addon For Elementor; Image Hover Effects For Elementor; Content Locker For Elementor
Vendor: CVE Published:; 4 November 2025

What is CVE-2025-10896?

Multiple plugins in the Jewel Theme Recommended Plugins Library for WordPress are susceptible to a serious vulnerability that enables an authenticated attacker, possessing subscriber-level access or higher, to upload arbitrary plugin packages to the server. This exploitation is made possible due to the absence of proper capability checks within the '*_recommended_upgrade_plugin' function, allowing for unchecked installation of plugins via crafted URLs. If exploited, this flaw could lead to severe impacts, including potential remote code execution.

Affected Version(s)

Content Locker for Elementor * <= 1.0.3

Image Comparison Addon for Elementor * <= 1.0.2.2

Image Hover Effects for Elementor * <= 1.0.2.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/image-hover-ef...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2025
Vulnerability Reserved
Sep 23, 2025

Credit

Youcef Hamdani

JSON