Description
The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the "Tnc_Wp_Toolbox_Settings::save_settings" function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment.
Published: 2025-11-11
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The TNC Toolbox: Web Performance plugin for WordPress stores cPanel API credentials in plain text files inside the web‑accessible wp-content directory, a flaw that allows attackers to read those files without authentication. With access to the hostname, username, and API key, an adversary can call the cPanel API and perform operations such as arbitrary file uploads, remote code execution, and complete takeover of the hosting account. The weakness is a sensitive information exposure in the settings persistence layer, classified as CWE-922.

Affected Systems

WordPress sites running the TNC Toolbox: Web Performance plugin version 1.4.2 or earlier are affected. The plugin is distributed by leopardhost under the product name TNC Toolbox: Web Performance. No further version information is available in the CVE data, so any site still on these releases is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 10, indicating critical severity. The EPSS score is reported as less than 1%, meaning the public exploitation probability is low at the time of this assessment, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is unauthenticated read access to files in wp-content, allowing the attacker to retrieve the unprotected credentials. Once those credentials are obtained, exploitation of the cPanel API grants full control over the hosting environment.

Generated by OpenCVE AI on April 22, 2026 at 16:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the TNC Toolbox: Web Performance plugin to the latest available version, ensuring that credential files are no longer stored in web‑accessible locations.
  • If an update is not immediately possible, locate the credential files within the wp-content directory and either delete them or move them outside the web root so that they cannot be accessed via HTTP.
  • Configure the web server or .htaccess rules to forbid web access to directories or files that hold sensitive information within wp-content, thereby preventing the unauthenticated download of credential files.

Generated by OpenCVE AI on April 22, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
Description The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the "Tnc_Wp_Toolbox_Settings::save_settings" function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment.
Title TNC Toolbox: Web Performance <= 1.4.2 - Unauthenticated Sensitive Information Exposure to Privilege Escalation/cPanel Account Takeover
Weaknesses CWE-922
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:28.205Z

Reserved: 2025-10-30T21:09:49.456Z

Link: CVE-2025-12539

cve-icon Vulnrichment

Updated: 2025-11-14T15:25:19.779Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T11:15:33.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses