Published On: May 09, 2025 16:16
Advisory No: TZCERT-SA-25-0094
Source: Wordfence
Software Affected: job-listings, buddyboss-platform-pro, pgs-core, frontend-dashboard
WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code in the affected system.
WordPress plugins job-listings, buddyboss-platform-pro, pgs-core, and frontend-dashboard are affected by the vulnerabilities tracked as CVE-2025-3918, CVE-2025-1909, CVE-2025-0855, and CVE-2025-4104 with CVSS score of 9.8 each. The plugins are vulnerable due to improper authorization within the register_action() function, insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin, deserialization of untrusted input in the 'import_header' function, and a missing capability check on the fed_wp_ajax_fed_login_form_post() function. Successful exploitation of this vulnerability allows the attacker to gain escalated privileges, retrieve sensitive data, or execute code.
Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.