Overview

WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code in the affected system.

Description

WordPress plugins job-listings, buddyboss-platform-pro, pgs-core, and frontend-dashboard are affected by the vulnerabilities tracked as CVE-2025-3918, CVE-2025-1909, CVE-2025-0855, and CVE-2025-4104 with CVSS score of 9.8 each. The plugins are vulnerable due to improper authorization within the register_action() function, insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin, deserialization of untrusted input in the 'import_header' function, and a missing capability check on the fed_wp_ajax_fed_login_form_post() function. Successful exploitation of this vulnerability allows the attacker to gain escalated privileges, retrieve sensitive data, or execute code.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/job-listings/job-listings-01-011-unauthenticated-privilege-escalation-via-register-action-function
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/buddyboss-platform-pro/buddyboss-platform-pro-2701-authentication-bypass-via-apple-oauth-provider
• 3. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pgs-core/pgs-core-580-unauthenticated-php-object-injection
• 4. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/frontend-dashboard/frontend-dashboard-10-226-missing-authorization-to-unauthenticated-privilege-escalation-via-fed-wp-ajax-fed-login-form-post-function