What the vulnerability does
01Description
The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2. This is due to the plugin storing cPanel API credentials (hostname, username, and API key) in files within the web-accessible wp-content directory without adequate protection in the "Tnc_Wp_Toolbox_Settings::save_settings" function. This makes it possible for unauthenticated attackers to retrieve these credentials and use them to interact with the cPanel API, which can lead to arbitrary file uploads, remote code execution, and full compromise of the hosting environment.
Explanation of Vulnerability in Simple Terms
02Summary
TNC Toolbox: Web Performance versions 1.4.2 and earlier contain a critical vulnerability that allows unauthenticated attackers to read sensitive data, modify site content, and disrupt service availability. The vulnerability requires no user interaction and can be exploited remotely over the network. All versions up to 1.4.2 are affected.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify site content, and disrupt service availability without authentication.
Potential impact on your site
04Site Impact
Complete compromise of confidentiality, integrity, and availability of the affected application.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 11, 2025
CVE published
April 8, 2026
Record updated