{"id":5246,"date":"2025-12-10T08:33:22","date_gmt":"2025-12-10T07:33:22","guid":{"rendered":"https:\/\/wpmastertoolkit.com\/?p=5246"},"modified":"2025-12-10T08:33:25","modified_gmt":"2025-12-10T07:33:25","slug":"mise-a-jour-de-securite-cve-2025-14166-wpmastertoolkit-2-13-1","status":"publish","type":"post","link":"https:\/\/wpmastertoolkit.com\/en\/security-update-cve-2025-14166-wpmastertoolkit-2-13-1\/","title":{"rendered":"Security update (CVE-2025-14166): WPMasterToolKit 2.13.1"},"content":{"rendered":"<p class=\"wp-block-paragraph\">Following a report from <strong>WordPress Plugins Team<\/strong> and researchers from <strong>Wordfence<\/strong> (CVE-2025-14166), a vulnerability has been identified in the <strong>Code Snippets<\/strong> WPMasterToolKit (versions \u2264 2.13.0).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This module allowed users with a <strong>Contributor<\/strong> (and above) to add and execute PHP code, potentially leading to an elevation of privileges.<br>\u26a0\ufe0f This could be exploited <strong>only if<\/strong> the Code Snippets module had been previously activated by an administrator and he already had access <strong>Contributor<\/strong> or higher.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u2714\ufe0f Corrected in version 2.13.1<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To eliminate any risk :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Access to the Code Snippets module is now strictly reserved for Administrators<\/strong><\/li>\n\n\n\n<li>WordPress capabilities have been revised to <strong>force permission <code data-no-auto-translation=\"\">manage_options<\/code><\/strong> on all snippet-related actions<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Modification implemented :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"php\" class=\"language-php\" data-no-auto-translation=\"\">'capability_type'       =&gt; 'page',\n'capabilities'          =&gt; array(\n    'edit_post'          =&gt; 'manage_options',\n    'read_post'          =&gt; 'manage_options',\n    'delete_post'        =&gt; 'manage_options',\n    'edit_posts'         =&gt; 'manage_options',\n    'edit_others_posts'  =&gt; 'manage_options',\n    'publish_posts'      =&gt; 'manage_options',\n    'read_private_posts' =&gt; 'manage_options',\n),\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd0e Additional checks in progress<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In accordance with WordPress.org :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A complete audit of permissions is underway on all modules<\/li>\n\n\n\n<li>Our code will undergo a <strong>Plugin Check<\/strong> to ensure maximum compliance with WordPress development and security standards<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udee1\ufe0f What you need to do<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you use WPMasterToolKit :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u2714\ufe0f Update your plugin by <strong>2.13.1 or higher<\/strong><br>\u26a0\ufe0f If the Code Snippets module was enabled, check that no suspicious snippets have been added by a non-administrator user.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\ude4f Thanks to the security community<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We would like to thank :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The WordPress.org Plugins Team<\/li>\n\n\n\n<li>Wordfence researchers who identified and documented the flaw<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Our priority is and will remain <strong>safety<\/strong> WordPress sites using WPMasterToolKit.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ud83d\udc4b A question, a doubt, a safety alert?<br>Our team remains available via WordPress.org support or our official website.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let's stay vigilant, stay safe. \ud83d\udd12\ud83d\ude80<\/p>","protected":false},"excerpt":{"rendered":"<p>Suite \u00e0 un signalement du WordPress Plugins Team et des chercheurs de Wordfence (CVE-2025-14166), une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 identifi\u00e9e dans le module Code Snippets de WPMasterToolKit (versions \u2264 2.13.0). Ce module permettait aux utilisateurs avec un r\u00f4le Contributor (et sup\u00e9rieur) d\u2019ajouter et d\u2019ex\u00e9cuter du code PHP, menant potentiellement \u00e0 une \u00e9l\u00e9vation de privil\u00e8ges.\u26a0\ufe0f Cela pouvait [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_seopress_robots_follow":"","_seopress_robots_imageindex":"","_seopress_robots_snippet":"","_seopress_robots_primary_cat":"","_seopress_robots_breadcrumbs":"","_seopress_robots_freeze_modified_date":"","_seopress_robots_custom_modified_date":"","_seopress_robots_canonical":"","_seopress_social_fb_title":"","_seopress_social_fb_desc":"","_seopress_social_fb_img":"","_seopress_social_fb_img_attachment_id":0,"_seopress_social_fb_img_width":0,"_seopress_social_fb_img_height":0,"_seopress_social_twitter_title":"","_seopress_social_twitter_desc":"","_seopress_social_twitter_img":"","_seopress_social_twitter_img_attachment_id":0,"_seopress_social_twitter_img_width":0,"_seopress_social_twitter_img_height":0,"_seopress_redirections_value":"","_seopress_redirections_enabled":"","_seopress_redirections_enabled_regex":"","_seopress_redirections_logged_status":"","_seopress_redirections_param":"","_seopress_redirections_type":0,"_seopress_analysis_target_kw":"","_seopress_news_disabled":"","_seopress_video_disabled":"","_seopress_video":[],"_seopress_pro_schemas_manual":[],"_seopress_pro_rich_snippets_disable_all":"","_seopress_pro_rich_snippets_disable":[],"_seopress_pro_schemas":[],"_surecart_dashboard_logo_width":"180px","_surecart_dashboard_show_logo":true,"_surecart_dashboard_navigation_orders":true,"_surecart_dashboard_navigation_invoices":true,"_surecart_dashboard_navigation_subscriptions":true,"_surecart_dashboard_navigation_downloads":true,"_surecart_dashboard_navigation_billing":true,"_surecart_dashboard_navigation_account":true,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5246","post","type-post","status-publish","format-standard","hentry","category-non-classe"],"acf":[],"_links":{"self":[{"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/posts\/5246","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/comments?post=5246"}],"version-history":[{"count":0,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/posts\/5246\/revisions"}],"wp:attachment":[{"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/media?parent=5246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/categories?post=5246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmastertoolkit.com\/en\/wp-json\/wp\/v2\/tags?post=5246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}