Tag: cve

Critical Cryptographic Weakness in WPS Office Enables Update Hijacking (CVE-2025-2516)
Overview
A critical vulnerability, identified as CVE-2025-2516, has been found in WPS Office for Windows by Kingsoft. The flaw stems from the use of a weak cryptographic key pair in the software’s signature verification process, which may allow attackers to sign malicious components as legitimate. This issue is further compounded by older WPS Office versions failing to validate the update server’s certificate, making it vulnerable to Adversary-In-The-Middle (AITM) attacks.
Technical Details
This vulnerability involves inadequate encryption strength, formally classified as CWE-326. The weak cryptographic key used for signature verification could be recovered through brute-force techniques. Once the private key is obtained, an attacker can generate valid-looking signed components and inject them into the software update mechanism.
Older versions of WPS Office exacerbated this risk by not verifying the identity of the update server. This allowed attackers in a man-in-the-middle position to redirect users to malicious updates, fully compromising affected systems.
CVSS and Severity
Using the CVSS v4.0 scoring system, the vulnerability has been rated as Critical with a base score of 9.5. The vector string is:
```
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/U:Amber
```
This reflects:
- Attack is network-based
- No privileges or user interaction required
- High impact on confidentiality, integrity, and availability
- High complexity due to key recovery requirement
Attack Patterns
The vulnerability aligns with several attack patterns:
Real-World Exploitation
This vulnerability has already been weaponized by a threat actor, underlining its severity and the urgency for remediation.
Mitigation
Users are advised to update WPS Office to the latest secure version and ensure that update processes validate server certificates. Organizations should also monitor for signs of tampered updates and verify the authenticity of software components.
Further Information
More insights are available in the detailed research by ESET: WeLiveSecurity Report.
Conclusion
CVE-2025-2516 is a reminder of the critical role cryptographic strength and secure update channels play in software integrity. Organizations should treat this vulnerability as high priority and respond accordingly to prevent potential exploitation.
2025-05-20
Critical Authentication Bypass in U-Office Force (CVE-2025-2395)
Overview
A critical security vulnerability, CVE-2025-2395, has been identified in U-Office Force, a product developed by e-Excellence. This vulnerability allows unauthenticated remote attackers to gain administrative access by manipulating cookies and exploiting a vulnerable API endpoint. The flaw affects all versions prior to 28.0.
Technical Details
The root cause of the issue is the application’s reliance on cookies without proper validation and integrity checking, classified as CWE-565. Attackers can exploit this by forging or modifying session cookies, effectively bypassing authentication mechanisms and assuming the identity of privileged users.
Once the attacker crafts a malicious request to a specific API endpoint and sets a tampered cookie, they can log in as an administrator without needing any credentials. This technique is categorized under the CAPEC-226: Session Credential Falsification through Manipulation attack pattern.
CVSS and Severity
The vulnerability has been rated Critical with a CVSS v3.1 base score of 9.8. The vector string is:
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
```
This score reflects the following characteristics:
- Attack is possible over the network
- Requires no privileges or user interaction
- Leads to high impact on confidentiality, integrity, and availability
Impact
Successful exploitation could allow full administrative control over the affected system. Attackers could access sensitive information, manipulate configurations, install malicious code, or disrupt services—posing a severe risk to organizational security and operations.
Mitigation
Users of U-Office Force are strongly advised to upgrade to version 28.0 or later, which addresses this vulnerability. Organizations should also audit any suspicious authentication events and enhance session validation mechanisms as a precaution.
Additional Information
More details about this vulnerability and updates are available via the following resources:
- TWCERT advisory (Traditional Chinese)
- TWCERT advisory (English)
Conclusion
CVE-2025-2395 is a reminder of the dangers posed by weak authentication practices. Developers and system administrators must implement rigorous validation for session credentials to prevent unauthorized access and protect sensitive systems from exploitation.
2025-05-20
Critical Authentication Bypass in BuddyBoss Platform Pro (CVE-2025-1909)
Overview
A critical vulnerability has been discovered in the BuddyBoss Platform Pro plugin for WordPress, affecting all versions up to and including 2.7.01. This flaw, tracked as CVE-2025-1909, allows unauthenticated attackers to bypass authentication and log in as any existing user, including administrators, via the Apple OAuth provider.
Technical Details
The vulnerability arises due to insufficient verification of the user identity during the Apple OAuth authentication process. When a login request is made through this provider, the plugin fails to properly confirm the authenticity of the user information. This oversight enables attackers who know the email address of an existing user to craft a malicious request and gain unauthorized access.
This issue is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel.
CVSS and Severity
According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability has a base score of 9.8, making it Critical in severity. The vector string is:
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
```
This indicates that:
- The attack is network-based
- No privileges are required
- No user interaction is needed
- Impact is high on confidentiality, integrity, and availability
Impact
Successful exploitation means attackers can impersonate site users, including administrators, leading to complete control over the WordPress site. This includes access to sensitive data, ability to install malicious plugins or themes, and potential full site compromise.
Mitigation
Site administrators are urged to update BuddyBoss Platform Pro to the latest available version immediately. As of the publication date, version 2.7.10 includes the necessary fix.
If updating is not immediately possible, consider temporarily disabling Apple OAuth login functionality until the update can be applied.
Discovery and Disclosure
This vulnerability was discovered by István Márton and responsibly disclosed to the vendor on March 3, 2025. The issue was publicly disclosed on May 5, 2025. For more technical information, see the Wordfence advisory.
Conclusion
CVE-2025-1909 highlights the importance of rigorous identity validation in third-party authentication mechanisms. Website owners using BuddyBoss Platform Pro should take immediate action to mitigate potential exploitation and protect user accounts from unauthorized access.
2025-05-20
Critical RCE Vulnerability in Kubernetes ingress-nginx (CVE-2025-1974)
Overview
A critical security vulnerability has been identified in the Kubernetes ingress-nginx controller, tracked as CVE-2025-1974. This vulnerability allows unauthenticated attackers with access to the pod network to achieve Remote Code Execution (RCE) within the context of the ingress-nginx controller, potentially leading to the disclosure of Kubernetes Secrets across the cluster.
Technical Details
The vulnerability stems from the Validating Admission Controller module in the ingress-nginx project. Under certain misconfigured conditions, it is possible for an attacker to inject and execute arbitrary code through this admission controller if they can reach the controller from within the pod network.
The affected versions include:
- All versions up to 1.11.4
- 1.12.0
This issue was caused by improper isolation or compartmentalization, which corresponds to CWE-653. The underlying attack pattern matches CAPEC-251: Local Code Inclusion.
CVSS and Severity
According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability has been assigned a base score of 9.8, indicating a Critical severity level. The vector string is as follows:
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
```
This means that the attack is:
- Remotely exploitable over the network
- Requires no user interaction
- Requires no privileges
- Results in high impact to confidentiality, integrity, and availability
Impact and Risks
If exploited, attackers may gain the ability to run arbitrary commands in the controller’s context. Since ingress-nginx controllers commonly have access to all cluster Secrets by default, this could lead to severe data leakage, credential theft, and cluster-wide compromise.
Security researchers Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson were credited with discovering this issue. It was also assessed under the CISA SSVC framework as having:
- Proof of Concept (PoC) exploitation
- Automatable potential
- Total technical impact
Mitigation and Workaround
Before applying the official patch, system administrators can mitigate this vulnerability by disabling the Validating Admission Controller in ingress-nginx. However, this may affect some admission control policies, so review your cluster’s configuration accordingly.
To disable the controller, modify the deployment to remove or comment out the relevant webhook configurations. More details are available on the Kubernetes GitHub issue: GitHub Issue 131009.
Conclusion
CVE-2025-1974 highlights the importance of strict isolation and privilege boundaries within Kubernetes controllers. Administrators using ingress-nginx should update to a patched version as soon as it becomes available, and review network access controls within their clusters.
2025-05-20
CVE-2025-29814: Critical Privilege Escalation in Microsoft Partner Center
Overview
On March 21, 2025, Microsoft disclosed a critical security vulnerability identified as CVE-2025-29814 in the Microsoft Partner Center. This flaw allows an authorized attacker to escalate privileges across a network due to improper authorization mechanisms.
The issue has been categorized under CWE-20: Improper Input Validation. It carries a CVSS 3.1 base score of 9.3, classifying it as a critical vulnerability.
What is Microsoft Partner Center?
The Microsoft Partner Center is an administrative platform for managing partner relationships, customer subscriptions, and billing across Microsoft services. It serves as a central hub for service provisioning, making it a high-value target for attackers seeking to exploit privilege escalation weaknesses.
Technical Details
The vulnerability stems from improper authorization validation in the Microsoft Partner Center API. While exact implementation details are not public, Microsoft has confirmed that an attacker with basic access rights can exploit the flaw to gain elevated privileges on the system. This allows for actions typically reserved for higher-privilege accounts, such as administrative functions.
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H
- Severity: Critical (9.3)
- Attack Vector: Network
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact: High on integrity and availability
Understanding CVSS 3.1 Metrics
The CVSS (Common Vulnerability Scoring System) is a framework used to assess the severity of software vulnerabilities. This CVE’s high score of 9.3 indicates significant potential for damage if exploited, especially considering the ease of exploitation (low complexity) and the absence of required privileges.
Security Classification: CWE-20
CWE-20 refers to Improper Input Validation, where an application does not properly check the inputs it receives. In this case, failure to validate authorization credentials allows privilege escalation. This is a common and dangerous class of vulnerability due to its potential to affect system-wide security.
Exploitation Status and Impact
According to CISA’s SSVC (Stakeholder-Specific Vulnerability Categorization), exploitation of this vulnerability had not been observed at the time of disclosure. However, the technical impact is rated as total, emphasizing the urgency for mitigation.
While the flaw is in a cloud-hosted platform, system administrators and partners relying on Microsoft Partner Center should apply any available patches or mitigations immediately and audit account activity for suspicious behavior.
Mitigation and Recommendations
- Follow Microsoft’s official advisory for updates: CVE-2025-29814 Advisory
- Enable monitoring and alerting on all administrative activity
- Review user access privileges and implement the principle of least privilege
- Apply available patches or updates provided by Microsoft
Conclusion
CVE-2025-29814 highlights the critical importance of proper authorization in cloud service platforms. The potential for widespread privilege escalation demands immediate attention from affected organizations. Stay vigilant and prioritize timely updates and access control reviews.
2025-05-19
CSRF Vulnerability in WordPress User Profile Meta Manager Plugin (CVE-2025-48340)
Overview
A critical security vulnerability has been identified in the WordPress plugin User Profile Meta Manager, developed by Danny Vink. This flaw, registered as CVE-2025-48340, allows attackers to perform a Cross-Site Request Forgery (CSRF) attack, potentially leading to privilege escalation.
The affected versions include all releases up to and including version 1.02. The vulnerability has been confirmed and published by Patchstack on May 19, 2025.
Technical Details
The issue stems from improper validation of user-supplied requests in the plugin’s implementation. Specifically, the vulnerability is classified under CWE-352: Cross-Site Request Forgery (CSRF). CSRF attacks occur when a malicious actor tricks a logged-in user into unknowingly executing actions within a web application, typically by loading a crafted URL or image that triggers an HTTP request on the victim’s behalf.
According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability scores a 9.8 out of 10, marking it as Critical. The vector string for this CVSS score is:
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
```
This indicates the attack can be conducted remotely (Attack Vector: Network), requires low complexity, and no privileges or user interaction. The impact on confidentiality, integrity, and availability is high.
Impact
Successful exploitation could allow an unauthenticated attacker to escalate privileges by forging requests that appear to originate from a legitimate administrator. This could result in unauthorized access to sensitive user data, plugin configurations, or potentially full control over the WordPress site depending on how the plugin integrates with user roles.
The vulnerability aligns with CAPEC-233: Privilege Escalation, highlighting the attack’s potential to allow unauthorized users to gain elevated permissions.
Remediation
- Update the Plugin: Site administrators are strongly advised to update the User Profile Meta Manager plugin to a patched version (if available) as soon as possible.
- Monitor User Accounts: Review user accounts for unauthorized privilege changes.
- Apply Web Security Best Practices: Use Web Application Firewalls (WAFs) and ensure CSRF tokens are enforced across plugins and custom forms.
The vulnerability was discovered by chuck (Patchstack Alliance), and more details can be found on the Patchstack vulnerability database.
Conclusion
This critical vulnerability exemplifies the importance of secure coding practices, especially around authorization and input validation. Plugin developers should ensure proper nonce usage and request verification to mitigate CSRF risks. Administrators must stay informed and keep all plugins up-to-date to prevent exploitation.
2025-05-19
CVE-2025-47284: Critical Privilege Escalation in Gardener via Metadata Injection
Overview
On May 19, 2025, a critical security vulnerability was published under the identifier CVE-2025-47284, affecting the Gardener project—a tool used for the automated management of Kubernetes clusters as a service. The issue resides in the gardenlet component and poses a serious risk of privilege escalation due to improper handling of metadata injection.
What is Gardener?
Gardener is an open-source project developed by SAP that provides Kubernetes-as-a-Service by automating the provisioning and operation of Kubernetes clusters. It uses a control plane for each managed cluster and supports multi-cloud environments. A component called gardenlet is deployed on seed clusters to manage shoot clusters on behalf of users.
Vulnerability Details
The vulnerability arises from improper neutralization of escape, meta, or control sequences, classified as CWE-150. Specifically, metadata injection into project secrets can be exploited by an attacker with administrative privileges over a Gardener project. This enables the attacker to escalate their privileges and gain control over the seed clusters that host the shoot clusters for that project.
All Gardener installations using the gardener/gardener-extension-provider-gcp module are affected.
Technical Impact
- CVSS v3.0 Score: 9.9 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Confidentiality, Integrity, and Availability Impact: High
The vulnerability can be exploited remotely over the network and requires only low-level privileges within the Gardener project. No user interaction is required. Once exploited, the attacker can manipulate critical cluster management operations and compromise the integrity and availability of managed Kubernetes environments.
Affected Versions
- Gardener versions < 1.116.4
- Gardener 1.117.0 to < 1.117.5
- Gardener 1.118.0 to < 1.118.2
Versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0 contain patches addressing this issue.
Mitigation
It is strongly recommended that users upgrade to the latest patched versions of Gardener as listed above. Immediate action is required for any deployments using the vulnerable gardener-extension-provider-gcp module.
Conclusion
CVE-2025-47284 underscores the importance of secure metadata handling in cloud-native platforms. With a near-maximum CVSS score and the potential for full cluster compromise, this flaw should be addressed promptly by all affected users. For more details, refer to the GitHub security advisory.
2025-05-19
CVE-2025-47283: Critical Privilege Escalation in Gardener Kubernetes Management
Overview
On May 19, 2025, a critical vulnerability was disclosed in the Gardener Kubernetes cluster management platform. Identified as CVE-2025-47283, the flaw permits privilege escalation by bypassing project secret validation, potentially allowing a project administrator to gain unauthorized access to the seed cluster(s) responsible for managing shoot clusters.
This vulnerability is tracked under GHSA-3hw7-qj9h-r835 and has been rated as Critical with a CVSS v3.0 base score of 9.9.
Technical Details
The vulnerability stems from improper input validation, categorized under CWE-20: Improper Input Validation. This means that user-supplied data is not properly checked before being processed, allowing potentially malicious input to influence system behavior.
In the context of Gardener, an administrative user within a project could manipulate secrets associated with their cluster to influence the behavior of the gardenlet component running on the seed cluster. This manipulation enables them to elevate privileges and execute operations outside their intended scope.
Impact
This flaw impacts all Gardener installations regardless of the public cloud provider used for the seed or shoot clusters. Exploitation could allow:
- Unauthorized control over seed clusters
- Compromise of other tenant clusters
- Loss of confidentiality, integrity, and availability within the Kubernetes management infrastructure
The vulnerability has a Changed Scope in the CVSS vector, indicating that an attacker’s access could impact components beyond the initially vulnerable system.
Affected Versions
The following versions of gardener/gardener are affected:
- All versions prior to 1.116.4
- Versions 1.117.0 through 1.117.4
- Versions 1.118.0 through 1.118.1
Mitigation
Users are strongly advised to upgrade to one of the following patched versions:
- 1.116.4
- 1.117.5
- 1.118.2
- 1.119.0 or later
Upgrading ensures that project secret validation is enforced correctly, preventing unauthorized privilege escalation within the system.
Understanding the Terms
Gardener is an open-source project developed by SAP that enables the automated management of Kubernetes clusters at scale. It introduces the concept of shoot clusters (end-user Kubernetes clusters) and seed clusters (infrastructure clusters that host shoot clusters).
CVSS (Common Vulnerability Scoring System) provides a numerical score to indicate the severity of a vulnerability. A score of 9.9 indicates an extremely high risk, especially when no user interaction is required and the attack can be performed remotely.
CWE-20 represents a category of vulnerabilities arising from improper input validation, a common flaw that can lead to injection, escalation, or arbitrary code execution.
Conclusion
CVE-2025-47283 highlights the importance of strict input validation and the risks posed by misconfigured secrets in Kubernetes management platforms. Organizations using Gardener should patch immediately and review their cluster access policies to ensure secure multi-tenancy.
2025-05-19
CVE-2025-1638: Authentication Bypass in Alloggio Membership Plugin via Social Login
Overview
CVE-2025-1638 is a critical vulnerability found in the Alloggio Membership plugin for WordPress, affecting all versions up to and including 1.1. The issue enables unauthenticated attackers to log in as any user, including site administrators, without knowing the password, due to flaws in the plugin’s social login handling.
Technical Details
The vulnerability is caused by insufficient identity validation within the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. These functions are responsible for handling Facebook and Google login requests via REST API endpoints. However, they fail to properly authenticate and verify user identity tokens before granting access.
As a result, attackers can craft fake social login requests and impersonate any existing user on the site, including those with administrator privileges. This flaw is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel.
CVSS Score
This vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical):
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
```
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: High across Confidentiality, Integrity, and Availability
Affected Versions
All versions of the Alloggio Membership plugin up to and including 1.1 are affected. The vulnerability impacts sites using this plugin with social login features enabled.
Mitigation
- Update the Alloggio Membership plugin to a version that patches this issue, if available.
- Temporarily disable social login features on affected sites.
- Audit user access logs for signs of suspicious logins or account takeovers.
Conclusion
This vulnerability highlights the importance of robust identity validation in OAuth and social login implementations. Developers must ensure that authentication tokens are properly verified with the identity provider before granting access. Site administrators using the Alloggio Membership plugin should take immediate action to secure their sites.
Thanks to Tonn for discovering this issue. For further details, visit the official Wordfence advisory.
2025-05-19
CVE-2025-1315: Critical Privilege Escalation via Password Reset in InWave Jobs WordPress Plugin
Overview
CVE-2025-1315 is a critical vulnerability in the InWave Jobs plugin for WordPress, affecting all versions up to and including 3.5.1. This flaw allows unauthenticated attackers to reset the password of any user, including administrators, leading to full compromise of affected WordPress sites.
Technical Details
The vulnerability arises from the plugin’s failure to properly validate the identity of the user initiating a password reset. As a result, an attacker can craft a request that changes the password of any account without authentication. This type of flaw is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel.
Once the password of a privileged user, such as an administrator, is changed, the attacker gains full access to the backend, allowing them to:
- Modify or delete content
- Install malicious plugins or themes
- Exfiltrate sensitive data
- Compromise other user accounts
CVSS Score
This vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical):
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
```
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact: High for Confidentiality, Integrity, and Availability
Impacted Versions
All versions of the InWave Jobs plugin up to and including 3.5.1 are affected. This includes installations integrated with themes like InJob.
Mitigation
- Immediately update to a patched version if available.
- Disable the plugin temporarily if an update is not available.
- Review your site’s user accounts for unauthorized changes or suspicious activity.
- Reset administrator passwords after patching to ensure security.
Conclusion
This vulnerability emphasizes the importance of strict identity validation for all user-sensitive actions, especially password resets. A missing check in such a critical function can open the door to full system compromise. Site administrators using InWave Jobs should patch immediately and audit their sites for signs of intrusion.
Credit for discovery goes to Tonn. For more information, visit the Wordfence advisory.
2025-05-19