Introduction
Attackers with even the lowest level of authenticated access can take over WordPress sites running certain Jewel Theme plugins, simply by uploading a malicious plugin package. The impact is immediate: remote code execution and full compromise of the affected site are possible if the vulnerability is exploited.
Jewel Theme is a WordPress plugin and theme vendor with a portfolio including WP Adminify, Master Addons for Elementor, and Master Blocks. Their products are widely used for site customization and page building in the WordPress ecosystem, with distribution through marketplaces like Envato and direct sales. The Jewel Theme Recommended Plugins Library is bundled with several of their products, amplifying the reach of any vulnerability in this shared component.
Technical Information
CVE-2025-10896 is a critical vulnerability (CVSS 8.8) in the Jewel Theme Recommended Plugins Library, affecting all versions up to and including 1.0.2.3. The vulnerability is rooted in missing capability checks in the *_recommended_upgrade_plugin function. This function is responsible for handling plugin installation requests, but it fails to verify whether the current user has the necessary privileges to install plugins. As a result, any authenticated user with subscriber-level access or higher can trigger the installation process.
The function accepts arbitrary plugin URLs as input, allowing an attacker to supply a link to a malicious plugin package under their control. When the vulnerable code processes this request, it downloads and installs the plugin without any server-side verification of the user's capability or the trustworthiness of the plugin source. This enables remote code execution, as the installed plugin can execute arbitrary PHP code within the context of the WordPress site.
The vulnerable logic is present in several files within affected plugins, including:
Libs/Assets.phpat line 70Libs/Recommended.phpat lines 43 and 334
These files are publicly accessible in the plugin's source repository and have been referenced in vulnerability advisories (Wordfence).
The root cause is the absence of server-side capability checks (such as current_user_can('install_plugins')) before allowing plugin installation. Combined with the acceptance of arbitrary plugin URLs, this creates a direct path for privilege escalation and code execution by low-privilege users.
Affected Systems and Versions
- Jewel Theme Recommended Plugins Library: all versions up to and including 1.0.2.3
- Any WordPress plugin bundling this library, including but not limited to:
- Image Hover Effects Addon for Elementor (as referenced in the WordPress plugin repository)
- Other Jewel Theme products that include the vulnerable library
The vulnerability is present regardless of site configuration, as long as the affected library version is in use and user registration is enabled or subscriber accounts exist.
Vendor Security History
Jewel Theme has a documented history of authorization and input validation vulnerabilities in its products. Notable examples include:
- CVE-2024-29911: Stored cross-site scripting in Master Addons for Elementor
- CVE-2024-33595: Missing authorization in Master Addons for Elementor
These prior issues highlight recurring patterns in access control and input handling, suggesting a need for improved secure development practices.
