CVE-2025-10896

CVE-2025-10896 is an unrestricted upload of file with dangerous type vulnerability affecting multiple WordPress plugins that incorporate the Jewel Theme Recommended Plugins Library, in all versions up to and including 1.0.2.3. The issue stems from missing capability checks in the '*_recommended_upgrade_plugin' function, which permits the installation of arbitrary plugin URLs. Specific affected plugins include image-hover-effects-elementor-addon, as evidenced by code in Libs/Assets.php, Libs/Recommended.php, and related changesets. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-862 (Missing Authorization).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability by supplying a crafted plugin URL to the affected function, enabling the upload of arbitrary plugin packages directly to the WordPress site's server. Successful exploitation may lead to remote code execution, as the uploaded plugins can contain malicious code that executes with the privileges of the web server process.

References to WordPress plugin trac repositories indicate mitigation through code changes in specific changesets, such as 3384308 for image-hover-effects-elementor-addon and 3389322 for image-comparison-elementor-addon, which likely address the missing capability checks in the recommended plugin functions. Security practitioners should update to patched versions of affected plugins beyond 1.0.2.3 and review sites using the Jewel Theme Recommended Plugins Library for unauthorized plugins.