Imechapishwa: Mar 07, 2025 16:27
Advisory No: TZCERT-SA-25-0065
Source: Wordfence
Software Affected: iwjob, golo, wpcom-member, homey, wp-realestate-manager, veda, give, newscrunch
WordPress plugins are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.
WordPress plugins iwjob, golo, wpcom-member, homey, wp-realestate-manager, veda, give, and newscrunch are affected by the vulnerabilities tracked as CVE-2025-1315, CVE-2024-12876, CVE-2025-1475, CVE-2024-12281, CVE-2025-1515, CVE-2024-13787, CVE-2025-0912, and CVE-2025-1307 with CVSS score 9.8 each. The plugins are vulnerable due to the plugin not properly validating a user's identity before updating their password, insufficient verification on the 'user_phone' parameter when logging in, plugin allowing users who are registering new accounts to set their role, insufficient identity verification on the LinkedIn login request process, deserialization of untrusted input in the 'veda_backup_and_restore_action' function, deserialization of untrusted input from the Donation Form through the 'card_address' parameter, and missing capability check in the newscrunch_install_and_activate_plugin() function. The vulnerabilities allow unauthenticated attackers, including administrators, to change arbitrary user passwords and leverage that to gain access to their account, gain elevated privileges, bypass official authentication, retrieve sensitive data, or execute remote code.
Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
