Published On: Jun 16, 2025 08:57
Advisory No: TZCERT-SA-25-0102
Source: Wordfence
Software Affected: wp-email-debug, hypercomments, golo, psw-login-and-registration, profitori, real-time-validation-for-gravity-forms, affs, wp-pipes
WordPress is vulnerable to multiple critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute code in the affected system.
WordPress plugins wp-email-debug, hypercomments, golo, psw-login-and-registration, profitori, real-time-validation-for-gravity-forms, affs, and wp-pipes are affected by the vulnerabilities tracked as CVE-2025-5486, CVE-2025-5701, CVE-2025-4797, CVE-2025-4607, CVE-2025-4631, CVE-2025-48330, CVE-2025-32291, and CVE-2025-48267 with CVSS scores of 9.8 and 9.1. The plugins are vulnerable due to missing capability check on the WPMDBUG_handle_settings() function, missing capability check on the hc_request_handler function, improper validation of a user's identity before setting an authorization cookie, the use of a weak, low-entropy OTP mechanism in the forget() function, missing capability check on the stocktend_object endpoint, Local File Inclusion, missing file type validation, and insufficient file path validation via the delete_template() function respectively. Successful exploitation of this vulnerability allows the attacker to bypass access controls, obtain sensitive data, gain escalated privileges, or achieve code execution.
Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
