CVE-2025-12539

Critical

Published: 11 November 2025

Published

11 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0072 72.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within…

the web-accessible wp-content directory without adequate protection in the "Tnc_Wp_Toolbox_Settings::save_settings" function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment.

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match

prevent

AC-22 requires controlling and reviewing publicly accessible content to ensure sensitive information like cPanel credentials is not exposed in web-accessible directories such as wp-content.

SC-28 Protection of Information at Rest good match

prevent

SC-28 mandates protection of the confidentiality of information at rest, preventing plaintext storage of cPanel API credentials in files that could be accessed by attackers.

CM-12 Information Location good match

prevent

CM-12 requires identifying locations of sensitive information like stored cPanel credentials and implementing protections to prevent their exposure in web-accessible paths.

Security SummaryAI

CVE-2025-12539 is a sensitive information exposure vulnerability in the TNC Toolbox: Web Performance plugin for WordPress, affecting all versions up to and including 1.4.2. The issue arises in the "Tnc_Wp_Toolbox_Settings::save_settings" function, which stores cPanel API credentials—including hostname, username, and API key—in files within the web-accessible wp-content directory without adequate protection. This exposure has a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is linked to CWE-922.

Unauthenticated attackers can exploit this vulnerability by directly accessing the exposed files to retrieve the cPanel credentials. Armed with these details, attackers can interact with the cPanel API to perform actions such as arbitrary file uploads, remote code execution, and full compromise of the hosting environment.

Advisories reference a fix in the GitHub commit at https://github.com/The-Network-Crew/TNC-Toolbox-for-WordPress/commit/31bb3040b22c84e2d6dfd3210fe0ad045ff4ddf6. Additional threat intelligence is provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve.

Details

CWE(s): CWE-922

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

The vulnerability enables exploitation of a public-facing WordPress application (T1190) through unauthenticated access to plain-text files containing cPanel API credentials, directly facilitating unsecured credentials in files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/The-Network-Crew/TNC-Toolbox-for-WordPress/commit/31bb3040b22c84e2d6dfd3210fe0ad045ff4ddf6
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve
security@wordfence.com