The leopardhost TNC Toolbox: Web Performance plugin for WordPress, up to version 1.4.2, contains a critical vulnerability (CVE-2025-12539) classified under CWE-922 (Insecure Storage of Sensitive Information). The plugin stores cPanel API credentials—including hostname, username, and API key—in files located within the web-accessible wp-content directory. These files are saved via the Tnc_Wp_Toolbox_Settings::save_settings function without adequate access controls or encryption, making them accessible to any unauthenticated attacker who can send HTTP requests to the affected WordPress site. Once obtained, these credentials allow attackers to interact with the cPanel API, which typically has extensive control over the hosting environment. This access can be leveraged to upload arbitrary files, execute remote code, and ultimately gain full control over the hosting server and all hosted websites. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network, increasing its severity. The CVSS v3.1 base score is 10.0, indicating a critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction. The scope is changed because the compromise of the WordPress plugin leads to a broader impact on the hosting environment. Although no known exploits are currently reported in the wild, the ease of exploitation and potential impact make this a highly urgent issue for affected users. No official patches were listed at the time of publication, so immediate mitigation is critical.

The impact of this vulnerability is severe and far-reaching. Organizations using the leopardhost TNC Toolbox: Web Performance plugin on WordPress sites hosted with cPanel are at risk of full hosting environment compromise. Attackers can gain unauthorized access to cPanel API credentials, enabling them to upload malicious files, execute arbitrary code, and potentially take over the entire server. This can lead to data breaches, defacement of websites, distribution of malware, and disruption of services. The confidentiality of sensitive data is compromised, integrity of hosted websites and data is at risk, and availability can be disrupted through malicious actions or server takeover. The vulnerability affects all versions up to 1.4.2, meaning a large number of sites could be vulnerable if they have not updated or applied mitigations. The ease of exploitation without authentication or user interaction increases the likelihood of attacks. This can result in significant operational, reputational, and financial damage to organizations worldwide, especially those relying on WordPress and cPanel hosting environments.

1. Immediately restrict access to the wp-content directory and specifically to any files storing cPanel API credentials by implementing strict web server access controls (e.g., .htaccess rules, web server configuration to deny HTTP access). 2. Remove or relocate stored cPanel API credentials from web-accessible directories to secure, non-public locations with proper file permissions and encryption. 3. Monitor web server logs for suspicious requests attempting to access credential files or unusual API activity. 4. Disable or uninstall the TNC Toolbox: Web Performance plugin until a secure patched version is released. 5. Apply principle of least privilege to cPanel API keys, limiting their permissions to only necessary functions. 6. Once available, promptly apply official patches or updates released by leopardhost addressing this vulnerability. 7. Conduct a thorough security audit of hosting environments and WordPress installations to detect any signs of compromise. 8. Educate administrators on secure credential storage best practices and the risks of exposing sensitive information in web-accessible locations. 9. Consider implementing Web Application Firewalls (WAFs) to block unauthorized attempts to access sensitive files. 10. Regularly back up website and server data to enable recovery in case of compromise.