The leopardhost TNC Toolbox: Web Performance plugin for WordPress, versions up to and including 1.4.2, contains a critical vulnerability (CVE-2025-12539) classified under CWE-922 (Insecure Storage of Sensitive Information). The plugin stores cPanel API credentials—specifically hostname, username, and API key—in files located within the web-accessible wp-content directory without adequate access controls or encryption. This insecure storage occurs in the "Tnc_Wp_Toolbox_Settings::save_settings" function. Because these files are accessible via the web, unauthenticated attackers can directly retrieve these credentials without needing to authenticate or interact with the user. Once obtained, attackers can leverage the cPanel API to perform arbitrary file uploads, execute remote code, and potentially gain full control over the hosting environment. The vulnerability has a CVSS v3.1 base score of 10.0, indicating critical severity with network attack vector, no required privileges or user interaction, and complete impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the vulnerability's nature and ease of exploitation make it a significant threat. The affected plugin is used in WordPress environments, which are widely deployed globally, including across Europe. The combination of WordPress and cPanel hosting is common, increasing the potential attack surface. The lack of patch links suggests that no official fix has been released at the time of publication, emphasizing the need for immediate mitigation steps by administrators.

For European organizations, this vulnerability poses a severe risk to websites and hosting environments running the vulnerable TNC Toolbox plugin on WordPress with cPanel hosting. Successful exploitation can lead to full compromise of the hosting server, enabling attackers to upload malicious files, execute arbitrary code, steal sensitive data, or pivot to other internal systems. This can result in data breaches, service downtime, reputational damage, and regulatory non-compliance, especially under GDPR. The exposure of cPanel API credentials also risks other hosted domains and services managed via cPanel. Given the widespread use of WordPress and cPanel in Europe, many small to medium enterprises, e-commerce platforms, and service providers could be affected. The critical nature of the vulnerability means that even organizations with limited security expertise are at risk, increasing the likelihood of exploitation. Additionally, the potential for complete hosting environment compromise raises concerns about persistent threats and lateral movement within networks.

1. Immediately identify and isolate WordPress instances running the TNC Toolbox: Web Performance plugin versions up to 1.4.2. 2. Remove or disable the vulnerable plugin until a patched version is released. 3. If possible, update to a fixed version once available from the vendor. 4. Manually audit the wp-content directory for any exposed files containing cPanel API credentials and remove or restrict access to them. 5. Rotate all cPanel API credentials that may have been exposed to prevent unauthorized access. 6. Implement strict file permissions and web server configurations to prevent direct access to sensitive files within wp-content or other directories. 7. Monitor cPanel logs and WordPress activity for suspicious actions indicative of exploitation attempts. 8. Employ web application firewalls (WAFs) with rules to block unauthorized access to configuration files. 9. Educate administrators about the risks of storing sensitive credentials in web-accessible locations and encourage secure credential management practices. 10. Consider isolating cPanel API access to trusted IPs or using API tokens with minimal privileges where possible.