Karl.Fail

Tag: critical

  • CVE-2025-1315: Critical Privilege Escalation via Password Reset in InWave Jobs WordPress Plugin

    Overview

    CVE-2025-1315 is a critical vulnerability in the InWave Jobs plugin for WordPress, affecting all versions up to and including 3.5.1. This flaw allows unauthenticated attackers to reset the password of any user, including administrators, leading to full compromise of affected WordPress sites.

    Technical Details

    The vulnerability arises from the plugin’s failure to properly validate the identity of the user initiating a password reset. As a result, an attacker can craft a request that changes the password of any account without authentication. This type of flaw is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel.

    Once the password of a privileged user, such as an administrator, is changed, the attacker gains full access to the backend, allowing them to:

    • Modify or delete content
    • Install malicious plugins or themes
    • Exfiltrate sensitive data
    • Compromise other user accounts

    CVSS Score

    This vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical):

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High for Confidentiality, Integrity, and Availability

    Impacted Versions

    All versions of the InWave Jobs plugin up to and including 3.5.1 are affected. This includes installations integrated with themes like InJob.

    Mitigation

    • Immediately update to a patched version if available.
    • Disable the plugin temporarily if an update is not available.
    • Review your site’s user accounts for unauthorized changes or suspicious activity.
    • Reset administrator passwords after patching to ensure security.

    Conclusion

    This vulnerability emphasizes the importance of strict identity validation for all user-sensitive actions, especially password resets. A missing check in such a critical function can open the door to full system compromise. Site administrators using InWave Jobs should patch immediately and audit their sites for signs of intrusion.

    Credit for discovery goes to Tonn. For more information, visit the Wordfence advisory.

  • CVE-2025-1307: Critical Arbitrary File Upload in Newscrunch WordPress Theme

    Overview

    CVE-2025-1307 is a critical vulnerability in the Newscrunch theme for WordPress, affecting all versions up to and including 1.8.4. The issue allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server, potentially leading to full remote code execution.

    Technical Details

    The vulnerability stems from a missing capability check in the newscrunch_install_and_activate_plugin() function. This function fails to properly verify the permissions of the user invoking it. As a result, even low-privileged users, such as Subscribers, can exploit the flaw to upload malicious files—including PHP scripts—directly to the web server.

    This type of vulnerability is categorized as CWE-862: Missing Authorization. It demonstrates how insufficient access control can elevate minimal user privileges into a full-blown compromise, especially when combined with file upload functionality that lacks validation or execution restrictions.

    CVSS Score

    The issue has been scored as 9.8 (Critical) using CVSS v3.1:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High (Confidentiality, Integrity, Availability)

    Impacted Versions

    The vulnerability affects all versions of the Newscrunch theme up to and including 1.8.4. This includes default installations where subscriber accounts are enabled.

    Mitigation

    • Update the Newscrunch theme to the latest version that includes a fix for this issue.
    • Restrict user registration or limit file upload capabilities for non-admin roles as a temporary measure.
    • Scan your server for suspicious uploaded files, especially PHP scripts in non-standard directories.

    Conclusion

    This vulnerability is a reminder that themes and plugins must rigorously enforce capability checks, particularly when implementing file upload or plugin management features. Site administrators using Newscrunch should patch immediately and audit any low-privilege accounts for unusual activity.

    Thanks to Chloe Chamberland for identifying and reporting this vulnerability. More details can be found in the Wordfence advisory.

  • CVE-2025-1061: Critical Authentication Bypass in Nextend Social Login Pro via Apple OAuth

    Overview

    CVE-2025-1061 is a critical authentication bypass vulnerability in the Nextend Social Login Pro plugin for WordPress. Versions up to and including 3.1.16 are affected. The flaw allows unauthenticated attackers to log in as any existing user, including administrators, by exploiting weaknesses in the Apple OAuth authentication process.

    Technical Details

    The vulnerability stems from insufficient verification of the user data provided during the Apple OAuth authentication request. Specifically, the plugin fails to securely validate the identity of the user returned by Apple, enabling attackers who know or can guess an existing user’s email address to log in without needing their password or valid credentials.

    This issue is classified under CWE-288: Authentication Bypass Using an Alternate Path or Channel. By bypassing the standard login mechanisms, an attacker can impersonate site administrators or other privileged users, gaining full access to the WordPress dashboard and potentially compromising the entire website.

    CVSS Score

    The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), indicating the highest level of severity:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High (Confidentiality, Integrity, Availability)

    Impacted Versions

    All versions of Nextend Social Login Pro up to and including 3.1.16 are affected. Site owners using this plugin should check their version immediately.

    Mitigation

    • Update to the latest version of the plugin that contains a patch for this issue.
    • Audit user access and check for signs of unauthorized logins, especially for administrator accounts.
    • Reconfigure or disable Apple OAuth login until you are certain the patch is in place and effective.

    Conclusion

    OAuth integrations simplify user login but must be handled with strict validation and security checks. This incident underscores the importance of never trusting identity assertions without verification. Plugin developers and site administrators alike should take extra precautions with third-party login providers.

    For more details, consult the official advisory on Wordfence or view the plugin documentation on Nextend.

  • CVE-2025-30206: Hardcoded JWT Secret in Dpanel Enables Full Remote Compromise

    Overview

    CVE-2025-30206 is a critical vulnerability in Dpanel, a Docker visualization and management panel. The flaw affects versions prior to 1.6.1 and stems from the use of a hardcoded JWT secret. This enables attackers to craft valid tokens and take full control of the system remotely.

    Technical Details

    The vulnerability arises due to insecure design choices including the use of a hardcoded cryptographic key (CWE-321), insecure default variable initialization (CWE-453), and embedded constants (CWE-547). By analyzing the source code, an attacker can identify the JWT secret used to sign authentication tokens. With this knowledge, they can generate valid JWTs, impersonate admin users, and bypass all authentication controls.

    Once authenticated, an attacker gains administrative access, potentially allowing them to:

    • Execute arbitrary commands on the host
    • Access and exfiltrate sensitive data
    • Escalate privileges
    • Move laterally across the network

    This vulnerability is especially dangerous in cloud or containerized environments where Dpanel is used to orchestrate Docker containers and images.

    CVSS Score

    The issue has been rated 9.8 (Critical) under CVSS v3.1:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on Confidentiality, Integrity, and Availability

    Affected Versions

    All Dpanel versions prior to 1.6.1 are affected. This includes default installations where the hardcoded secret remains unchanged.

    Mitigation

    • Update to Dpanel version 1.6.1, which includes a patch for the issue.
    • If an upgrade is not possible, replace the hardcoded JWT secret with a securely generated value and store it in a secure configuration file or secrets manager.
    • Audit existing Dpanel deployments to ensure secrets are not default or exposed.

    Conclusion

    Hardcoded secrets remain one of the most dangerous and avoidable security flaws. Projects managing access and infrastructure—like Dpanel—must ensure that sensitive credentials are properly generated, stored securely, and never embedded directly in source code. Organizations using Dpanel should take immediate action to mitigate the risk and prevent potential breaches.

    More details are available in the official advisory: GHSA-j752-cjcj-w847.

  • CVE-2025-30065: Critical Code Execution Vulnerability in Apache Parquet Java (parquet-avro Module)

    Overview

    On April 1, 2025, a critical vulnerability was published under the identifier CVE-2025-30065. The flaw affects Apache Parquet Java, specifically the parquet-avro module in versions ≤ 1.15.0. This vulnerability allows attackers to execute arbitrary code when a specially crafted Avro schema is parsed from Parquet file metadata.

    Technical Details

    This issue arises due to unsafe schema parsing that leads to deserialization of untrusted data (CWE-502). When an application using the vulnerable library reads a malicious Parquet file, it may deserialize attacker-controlled input, resulting in full remote code execution. This can occur without any user interaction or special permissions.

    The issue has been assigned the highest CVSS v4.0 base score of 10 (Critical), reflecting the severity and exploitability of the flaw. According to the CVSS vector:

    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Confidentiality, Integrity, Availability Impact: High

    Impacted Component

    The vulnerability affects the org.apache.parquet:parquet-avro package from the Apache Parquet Java library. All versions up to and including 1.15.0 are vulnerable.

    Real-World Impact

    This vulnerability is particularly dangerous in environments where applications process Parquet files from untrusted sources, such as data ingestion systems, cloud data pipelines, or external integrations. Exploitation can lead to complete system compromise, as confirmed by publicly available proof-of-concept exploits.

    Mitigation

    • Upgrade to Apache Parquet Java version 1.15.1 or later, which includes a fix for this issue.
    • Do not process untrusted Parquet files until patches are applied.
    • Consider isolating file parsing into sandboxed or low-privilege environments to reduce risk.

    Discovery and Acknowledgment

    This vulnerability was discovered by Keyi Li from Amazon. The Apache Software Foundation has released an advisory and patch for the issue. Additional exploit demonstrations have been shared by the security community on GitHub.

    References

    All users of the Apache Parquet Java library are urged to update immediately.

  • CVE-2025-47282: Critical Privilege Escalation in Gardener External DNS Management

    Overview

    A critical security vulnerability identified as CVE-2025-47282 has been disclosed in Gardener External DNS Management, affecting all versions prior to 0.23.6. This flaw allows users with specific administrative privileges to escalate privileges and potentially gain control over seed clusters in Kubernetes environments. The issue is rated with a CVSS v3.0 score of 9.9 (Critical).

    What is Gardener External DNS Management?

    Gardener is a Kubernetes-based system for managing Kubernetes clusters across multiple infrastructures. Its external-dns-management component handles DNS entries for shoot clusters and may also be deployed to seed clusters via the gardener-extension-shoot-dns-service extension.

    Technical Details

    The vulnerability arises from improper input validation (CWE-20). Specifically, a malicious Google credential embedded in a DNS secret can be used by an attacker to inject unintended configurations, potentially allowing the attacker to take over the seed cluster hosting the shoot cluster.

    This applies to users who have administrative privileges over:

    • A Gardener project
    • A shoot cluster
    • A single namespace within a shoot cluster

    If the shoot-dns-service extension is enabled, then all versions ≤ v1.60.0 of this extension are also affected.

    CVSS Breakdown

    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality/Integrity/Availability Impact: High

    Affected Components

    The following components are impacted:

    • gardener/external-dns-management < version 0.23.6
    • gardener-extension-shoot-dns-service ≤ v1.60.0

    Mitigation

    • Upgrade external-dns-management to version 0.23.6 or later.
    • If using the shoot-dns-service extension, ensure you are using a version later than v1.60.0.
    • Review permissions and secrets to identify possible abuse vectors.

    Conclusion

    This vulnerability underscores the need for strict input validation in infrastructure components and careful handling of credentials in DNS secrets. Administrators should patch their installations immediately to mitigate the risk of privilege escalation in Gardener-managed Kubernetes clusters.

    For more details, refer to the official GitHub advisory.

  • CVE-2025-47582: Critical PHP Object Injection in WPBot Pro WordPress Chatbot Plugin

    Overview

    On May 19, 2025, a critical vulnerability was disclosed under the identifier CVE-2025-47582. This vulnerability affects the WPBot Pro WordPress Chatbot plugin by QuantumCloud, in all versions up to and including 12.7.0. It involves a PHP Object Injection issue due to the unsafe deserialization of untrusted data. This flaw allows attackers to execute arbitrary code remotely and has received a CVSS v3.1 base score of 9.8 (Critical).

    Technical Details

    The core of the vulnerability lies in how the plugin handles serialized data. It fails to properly validate input before deserialization, making it possible for attackers to inject malicious PHP objects. This type of issue is categorized as CWE-502: Deserialization of Untrusted Data, which is a common and severe programming flaw in PHP applications.

    Attackers can exploit this vulnerability to gain full control over the affected website, access sensitive information, alter functionality, or cause a complete service outage. The attack pattern aligns with CAPEC-586: Object Injection, highlighting the risks of allowing deserialization without strict controls.

    CVSS Breakdown

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network – Can be exploited remotely.
    • Attack Complexity: Low – No special conditions required.
    • Privileges Required: None – No authentication needed.
    • User Interaction: None – Fully automated attack possible.
    • Confidentiality, Integrity, Availability: High – Complete system compromise possible.

    Impacted Versions

    All versions of WPBot Pro WordPress Chatbot up to and including 12.7.0 are affected. If you are using this plugin, immediate action is strongly recommended.

    Discovery and Credit

    This vulnerability was responsibly disclosed by Tran Nguyen Bao Khanh from VCI – VNPT. The advisory has been published and verified by Patchstack.

    Mitigation Steps

    • Update the WPBot Pro plugin to a version newer than 12.7.0, if available.
    • If no patch is yet available, disable the plugin until a secure version is released.
    • Consider deploying a Web Application Firewall (WAF) to mitigate attack attempts targeting serialized inputs.

    Conclusion

    PHP Object Injection vulnerabilities pose severe security threats, especially when they are exposed over the network without requiring authentication. Developers must avoid using unserialize() on user-supplied input or must implement robust validation controls. Website owners should maintain a regular update strategy and monitor vulnerability disclosures relevant to their stack.

    For further information, consult the official advisory on Patchstack.

  • CVE-2025-47581: Critical PHP Object Injection in WordPress Events Calendar Registration & Tickets Plugin

    Overview

    On May 19, 2025, a critical vulnerability was published under the identifier CVE-2025-47581. This vulnerability affects the popular WordPress plugin Events Calendar Registration & Tickets by Elbisnero, up to version 2.6.0. The flaw is a PHP Object Injection vulnerability resulting from unsafe deserialization of untrusted data. It has received a CVSS v3.1 base score of 9.8 (Critical).

    Technical Details

    The vulnerability stems from improper handling of serialized input within the plugin’s codebase. Specifically, the plugin deserializes data without adequate validation or sanitation, allowing attackers to inject arbitrary PHP objects. This can be exploited to execute arbitrary code or manipulate application behavior.

    According to the Common Weakness Enumeration, this issue maps to CWE-502: Deserialization of Untrusted Data. The vulnerability is cataloged under the CAPEC-586: Object Injection attack pattern, highlighting the security implications of insecure deserialization techniques.

    The CVSS v3.1 vector string for this vulnerability is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This means:

    • Attack Vector (AV): Network – Can be exploited remotely.
    • Attack Complexity (AC): Low – Easily executed without complex conditions.
    • Privileges Required (PR): None – No authentication required.
    • User Interaction (UI): None – No user involvement necessary.
    • Confidentiality, Integrity, Availability Impact: High – Severe consequences on data and service integrity.

    Impacted Versions

    The vulnerability affects all versions of WordPress Events Calendar Registration & Tickets up to and including version 2.6.0. According to the vendor’s disclosure, newer versions may not be impacted, but users are strongly advised to verify and apply updates promptly.

    Discovery and Credits

    The vulnerability was discovered by Bonds from the Patchstack Alliance, a group dedicated to identifying and mitigating vulnerabilities in WordPress ecosystems. The issue was responsibly disclosed and publicly documented by Patchstack.

    Mitigation

    If you are using a vulnerable version (≤ 2.6.0) of the plugin:

    • Immediately update to a patched version, if available.
    • If no fix is available, consider disabling or replacing the plugin temporarily.
    • Employ a Web Application Firewall (WAF) to detect and block suspicious serialized data patterns.

    Conclusion

    This vulnerability is a stark reminder of the risks associated with deserialization and untrusted user input. Plugin developers should avoid unsafe PHP functions like unserialize() without proper controls and adopt secure coding practices. Website administrators must stay vigilant by keeping plugins up to date and monitoring for new disclosures regularly.

    For further details, see the official advisory on Patchstack.

  • CVE-2025-4389: Critical File Upload Vulnerability in Crawlomatic Plugin for WordPress

    Overview

    A critical vulnerability identified as CVE-2025-4389 affects the Crawlomatic Multipage Scraper Post Generator plugin for WordPress, up to and including version 2.6.8.1. Discovered by Friderika Baranyai and disclosed on May 16, 2025, this flaw enables unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE).

    Technical Details

    The vulnerability resides in the crawlomatic_generate_featured_image() function, which lacks proper file type validation. As a result, attackers can upload malicious files directly to the affected server without any authentication. This violates best practices in secure coding, particularly around file handling and input validation.

    This issue is categorized under CWE-434: Unrestricted Upload of File with Dangerous Type, which involves failure to restrict uploads to safe file types, opening the door for execution of hostile code on the server.

    CVSS Score and Impact

    The vulnerability has been rated CRITICAL with a CVSS v3.1 base score of 9.8. The vector string is:

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Key characteristics of this score include:

    • Exploitable remotely over a network (AV:N)
    • Low attack complexity (AC:L)
    • No privileges or user interaction required (PR:N, UI:N)
    • High impact on confidentiality, integrity, and availability (C:H, I:H, A:H)

    Impacted Versions

    All versions of the plugin up to and including 2.6.8.1 are affected. Users running these versions are highly encouraged to update or disable the plugin immediately.

    Mitigation and Recommendations

    Users should consult the plugin vendor for updates or security patches. In the absence of an immediate patch, disabling the plugin is advised. For reference and further reading, see:

    CISA’s SSVC analysis identifies the vulnerability as automatable with a total technical impact, further underlining the urgency of remediation efforts.

    Conclusion

    CVE-2025-4389 is a severe security risk for WordPress sites using the Crawlomatic plugin. The ability for unauthenticated users to upload files with no validation represents a significant attack vector. Site administrators must act swiftly to mitigate this threat.

  • CVE-2025-30016: Critical Authentication Bypass in SAP Financial Consolidation

    Overview

    On April 8, 2025, SAP disclosed a critical vulnerability identified as CVE-2025-30016 in its Financial Consolidation software (version FINANCE 1010). This flaw allows an unauthenticated attacker to gain unauthorized access to the Admin account, compromising the entire system’s security posture.

    Technical Details

    The vulnerability stems from improper authentication mechanisms within SAP Financial Consolidation. Specifically, the system fails to adequately enforce authentication controls, enabling attackers on the network to bypass security and access high-privilege functionality.

    This issue is classified under CWE-921: Storage of Sensitive Data in a Mechanism without Access Control. It implies that sensitive data, such as admin credentials or access tokens, might be exposed or improperly protected, thereby increasing the risk of exploitation.

    CVSS Score and Impact

    The vulnerability has received a CVSS v3.1 base score of 9.8, reflecting its severity and ease of exploitation. The vector string is:

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This score indicates:

    • Attack is remotely exploitable over a network (AV:N)
    • Low attack complexity (AC:L)
    • No privileges required (PR:N)
    • No user interaction needed (UI:N)
    • High impact on confidentiality, integrity, and availability (C:H/I:H/A:H)

    Impacted Software

    The affected product is SAP Financial Consolidation FINANCE 1010. All deployments running this version should be considered at risk. This vulnerability is critical for enterprises relying on this software for financial reporting and data management.

    Mitigation and Advisory

    SAP has issued an advisory and relevant security patches. Organizations using SAP Financial Consolidation should immediately review the following resources:

    Although there is no known exploitation in the wild, CISA’s SSVC (Stakeholder-Specific Vulnerability Categorization) marks the technical impact as total and the vulnerability as automatable — indicating a high potential risk if not mitigated.

    Conclusion

    CVE-2025-30016 presents a serious security risk to organizations using SAP Financial Consolidation. With unauthenticated remote access to administrative functions, attackers could cause severe data breaches or system outages. Immediate patching and system audits are strongly advised.