Published On: Mar 21, 2025 15:25
Advisory No: TZCERT-SA-25-0075
Source: Wordfence
Software Affected: age-gate, file-away, cozystay, minimog, altair, sf-booking, traveler
WordPress plugins are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.
WordPress plugins age-gate, file-away, cozystay, minimog, altair, sf-booking, and traveler are affected by the vulnerabilities tracked as CVE-2025-2505, CVE-2025-2512, CVE-2024-13410, CVE-2024-13790, CVE-2024-12922, CVE-2024-13442, and CVE-2025-1771 with CVSS scores of 9.8 each. The plugins are vulnerable due to Local PHP File Inclusion via the 'lang' parameter, missing capability check and missing file type validation in the upload() function, PHP Object Injection via deserialization of untrusted input in the 'ajax_handler' function, Local File Inclusion via the 'template' parameter, missing capability check within functions.php, properly validating a user's identity, and Local File Inclusion via the 'hotel_alone_load_more_post' function 'style' parameter. The vulnerabilities allow unauthenticated attackers to bypass access controls, obtain sensitive data, or achieve code execution.
Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
