Critical severity9.8NVD Advisory· Published Aug 14, 2025· Updated Apr 15, 2026

CVE-2025-8047

Description

The disable-right-click-powered-by-pixterme through v1.2 and pixter-image-digital-license thtough v1.0 WordPress plugins load a JavaScript file which has been compromised from an apparent abandoned S3 bucket. It can be used as a backdoor by those who control it, but it currently displays an alert marketing security services. Users that pay are added to allowedDomains to suppress the popup.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple WordPress plugins load a compromised JavaScript file from an abandoned S3 bucket, allowing potential backdoor access.

The disable-right-click-powered-by-pixterme (up to v1.2) and pixter-image-digital-license (up to v1.0) WordPress plugins load a JavaScript file from an apparent abandoned S3 bucket [1]. The file has been compromised and can be controlled by the bucket owner. Currently, it displays an alert marketing security services, but an attacker could modify it to execute arbitrary code on affected sites [1].

Attack

Vector Attackers who gain control of the S3 bucket can serve malicious JavaScript to any site using these plugins. No authentication or user interaction is required beyond the plugin being active and the bucket being accessible. This is a supply chain compromise affecting the plugin's remote resource [1].

Impact

An attacker can execute arbitrary JavaScript in the context of affected WordPress sites, potentially leading to full site compromise, data theft, or further injection attacks. The plugins effectively act as a backdoor for the bucket controller [1].

Mitigation

No official patches are available. The researcher recommends removing these plugins immediately and not using them until a verified update is released [1]. Sites should also review for any signs of compromise.

References

Multiple Plugins from itayamar - Supply Chain Compromise

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Pixter Image Digital Licenseinferred2 versions
<=1.0+ 1 more
- (no CPE)range: <=1.0
- (no CPE)range: <=1.0
Package: https://wordpress.org/plugins/pixter-image-digital-license
pixterme/disable-right-click-powered-by-pixtermellm-create
Range: <=1.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/a0c70b98-a3f9-4d4c-a25f-81424230b1a5/nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000