CVE-2025-60218 WPLocker CVE debrief

Who should care

Administrators and users of WordPress sites with the PT Luxa Addons plugin installed, particularly those with subscriber-level access, should be aware of this vulnerability and take steps to protect their sites.

Technical summary

The PT Luxa Addons plugin for WordPress, version 1.2.2 and earlier, is vulnerable to arbitrary file upload attacks. This vulnerability is due to insufficient validation of file uploads, allowing subscribers to upload files without proper restrictions. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Defensive priority

High

Recommended defensive actions

• Update the PT Luxa Addons plugin to the latest version, if available.
• Restrict file upload capabilities to trusted users only.
• Implement additional security measures, such as Web Application Firewalls (WAFs) and intrusion detection systems.
• Monitor your WordPress site for suspicious activity and file uploads.
• Consider using a security plugin to enhance WordPress security.
• Regularly update and patch all plugins and themes on your WordPress site.
• Limit subscriber-level access to sensitive areas of your WordPress site.

Evidence notes

The vulnerability was reported by Patchstack and is publicly listed in the CVE database. The CVE record and NVD details are available for further information.

Official resources