CVE-2025-12539

Name of the Vulnerable Software and Affected Versions TNC Toolbox: Web Performance plugin for WordPress versions up to and including 1.4.2

Description The TNC Toolbox: Web Performance plugin for WordPress is affected by a sensitive information exposure issue. The plugin stores cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection. The Tnc Wp Toolbox Settings::save settings function is involved in this issue. This allows unauthenticated attackers to retrieve these credentials and interact with the cPanel API, potentially leading to arbitrary file uploads and remote code execution, resulting in a full compromise of the hosting environment.

Recommendations Versions up to and including 1.4.2 should be updated to a newer, fixed version if available. As a temporary workaround, restrict access to the wp-content directory to minimize the risk of unauthorized access to the stored credentials.