The Popup and Slider Builder by Depicter plugin for WordPress, which provides functionalities such as email collecting popups, coupon popups, image sliders, and carousel sliders, suffers from a missing authorization vulnerability identified as CVE-2025-11373 (CWE-862). Specifically, the AJAX endpoint "depicter-media-upload" lacks proper capability checks, allowing authenticated users with Contributor-level privileges or higher to upload files to the server without sufficient restrictions. This missing authorization means that users who should not have permission to upload files can do so, potentially introducing malicious files into the web server environment. The vulnerability affects all versions up to and including 4.0.4 of the plugin. The CVSS v3.1 score of 4.3 indicates a medium severity, with the vector showing network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). While the vulnerability does not directly lead to remote code execution, the ability to upload arbitrary files can be leveraged in chained attacks, such as uploading web shells or malicious scripts, if additional vulnerabilities or misconfigurations exist. No public exploits have been reported yet, but the risk remains significant for sites that allow Contributor-level users to upload content. The plugin is widely used in WordPress environments for marketing and user engagement, making this a relevant threat vector for many organizations relying on WordPress-based websites.

The primary impact of CVE-2025-11373 is the unauthorized ability for authenticated users with Contributor-level access or higher to upload arbitrary files to the affected WordPress site. This can lead to integrity compromise of the website’s content and potentially enable further attacks such as web shell deployment, defacement, or pivoting within the hosting environment. Although the vulnerability does not directly affect confidentiality or availability, the uploaded files could be used to escalate privileges or conduct malicious activities that impact these security properties indirectly. Organizations relying on this plugin for marketing, e-commerce, or user engagement may face reputational damage, data integrity issues, and increased risk of broader compromise if attackers exploit this vulnerability. The medium CVSS score reflects the need for authentication and limited direct impact, but the scope of affected systems is large given WordPress’s market share and the plugin’s popularity. Without mitigation, attackers with low-level access can abuse this flaw to undermine website security and trust.

To mitigate CVE-2025-11373, organizations should first restrict Contributor-level and higher user roles to trusted personnel only, minimizing the risk of malicious uploads. Implement strict role-based access controls and regularly audit user permissions to ensure no unnecessary privileges are granted. Monitor the "depicter-media-upload" AJAX endpoint and file upload directories for unusual or unauthorized file uploads, using file integrity monitoring and web application firewalls (WAFs) with custom rules to detect and block suspicious activity. Disable or remove the Popup and Slider Builder by Depicter plugin if it is not essential to reduce the attack surface. Since no official patch is currently available, consider applying temporary workarounds such as restricting access to the AJAX upload route via server-level controls or plugin hardening. Stay informed about vendor updates and apply patches promptly once released. Additionally, implement security best practices such as disabling execution permissions on upload directories and employing content security policies to limit the impact of any uploaded malicious files.