Karl.Fail

Tag: score:9.8

  • Critical Authentication Bypass in U-Office Force (CVE-2025-2395)

    Overview

    A critical security vulnerability, CVE-2025-2395, has been identified in U-Office Force, a product developed by e-Excellence. This vulnerability allows unauthenticated remote attackers to gain administrative access by manipulating cookies and exploiting a vulnerable API endpoint. The flaw affects all versions prior to 28.0.

    Technical Details

    The root cause of the issue is the application’s reliance on cookies without proper validation and integrity checking, classified as CWE-565. Attackers can exploit this by forging or modifying session cookies, effectively bypassing authentication mechanisms and assuming the identity of privileged users.

    Once the attacker crafts a malicious request to a specific API endpoint and sets a tampered cookie, they can log in as an administrator without needing any credentials. This technique is categorized under the CAPEC-226: Session Credential Falsification through Manipulation attack pattern.

    CVSS and Severity

    The vulnerability has been rated Critical with a CVSS v3.1 base score of 9.8. The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This score reflects the following characteristics:

    • Attack is possible over the network
    • Requires no privileges or user interaction
    • Leads to high impact on confidentiality, integrity, and availability

    Impact

    Successful exploitation could allow full administrative control over the affected system. Attackers could access sensitive information, manipulate configurations, install malicious code, or disrupt services—posing a severe risk to organizational security and operations.

    Mitigation

    Users of U-Office Force are strongly advised to upgrade to version 28.0 or later, which addresses this vulnerability. Organizations should also audit any suspicious authentication events and enhance session validation mechanisms as a precaution.

    Additional Information

    More details about this vulnerability and updates are available via the following resources:

    Conclusion

    CVE-2025-2395 is a reminder of the dangers posed by weak authentication practices. Developers and system administrators must implement rigorous validation for session credentials to prevent unauthorized access and protect sensitive systems from exploitation.

  • Critical Authentication Bypass in BuddyBoss Platform Pro (CVE-2025-1909)

    Overview

    A critical vulnerability has been discovered in the BuddyBoss Platform Pro plugin for WordPress, affecting all versions up to and including 2.7.01. This flaw, tracked as CVE-2025-1909, allows unauthenticated attackers to bypass authentication and log in as any existing user, including administrators, via the Apple OAuth provider.

    Technical Details

    The vulnerability arises due to insufficient verification of the user identity during the Apple OAuth authentication process. When a login request is made through this provider, the plugin fails to properly confirm the authenticity of the user information. This oversight enables attackers who know the email address of an existing user to craft a malicious request and gain unauthorized access.

    This issue is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel.

    CVSS and Severity

    According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability has a base score of 9.8, making it Critical in severity. The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This indicates that:

    • The attack is network-based
    • No privileges are required
    • No user interaction is needed
    • Impact is high on confidentiality, integrity, and availability

    Impact

    Successful exploitation means attackers can impersonate site users, including administrators, leading to complete control over the WordPress site. This includes access to sensitive data, ability to install malicious plugins or themes, and potential full site compromise.

    Mitigation

    Site administrators are urged to update BuddyBoss Platform Pro to the latest available version immediately. As of the publication date, version 2.7.10 includes the necessary fix.

    If updating is not immediately possible, consider temporarily disabling Apple OAuth login functionality until the update can be applied.

    Discovery and Disclosure

    This vulnerability was discovered by István Márton and responsibly disclosed to the vendor on March 3, 2025. The issue was publicly disclosed on May 5, 2025. For more technical information, see the Wordfence advisory.

    Conclusion

    CVE-2025-1909 highlights the importance of rigorous identity validation in third-party authentication mechanisms. Website owners using BuddyBoss Platform Pro should take immediate action to mitigate potential exploitation and protect user accounts from unauthorized access.

  • Critical RCE Vulnerability in Kubernetes ingress-nginx (CVE-2025-1974)

    Overview

    A critical security vulnerability has been identified in the Kubernetes ingress-nginx controller, tracked as CVE-2025-1974. This vulnerability allows unauthenticated attackers with access to the pod network to achieve Remote Code Execution (RCE) within the context of the ingress-nginx controller, potentially leading to the disclosure of Kubernetes Secrets across the cluster.

    Technical Details

    The vulnerability stems from the Validating Admission Controller module in the ingress-nginx project. Under certain misconfigured conditions, it is possible for an attacker to inject and execute arbitrary code through this admission controller if they can reach the controller from within the pod network.

    The affected versions include:

    • All versions up to 1.11.4
    • 1.12.0

    This issue was caused by improper isolation or compartmentalization, which corresponds to CWE-653. The underlying attack pattern matches CAPEC-251: Local Code Inclusion.

    CVSS and Severity

    According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability has been assigned a base score of 9.8, indicating a Critical severity level. The vector string is as follows:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This means that the attack is:

    • Remotely exploitable over the network
    • Requires no user interaction
    • Requires no privileges
    • Results in high impact to confidentiality, integrity, and availability

    Impact and Risks

    If exploited, attackers may gain the ability to run arbitrary commands in the controller’s context. Since ingress-nginx controllers commonly have access to all cluster Secrets by default, this could lead to severe data leakage, credential theft, and cluster-wide compromise.

    Security researchers Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson were credited with discovering this issue. It was also assessed under the CISA SSVC framework as having:

    • Proof of Concept (PoC) exploitation
    • Automatable potential
    • Total technical impact

    Mitigation and Workaround

    Before applying the official patch, system administrators can mitigate this vulnerability by disabling the Validating Admission Controller in ingress-nginx. However, this may affect some admission control policies, so review your cluster’s configuration accordingly.

    To disable the controller, modify the deployment to remove or comment out the relevant webhook configurations. More details are available on the Kubernetes GitHub issue: GitHub Issue 131009.

    Conclusion

    CVE-2025-1974 highlights the importance of strict isolation and privilege boundaries within Kubernetes controllers. Administrators using ingress-nginx should update to a patched version as soon as it becomes available, and review network access controls within their clusters.

  • CVE-2025-1315: Critical Privilege Escalation via Password Reset in InWave Jobs WordPress Plugin

    Overview

    CVE-2025-1315 is a critical vulnerability in the InWave Jobs plugin for WordPress, affecting all versions up to and including 3.5.1. This flaw allows unauthenticated attackers to reset the password of any user, including administrators, leading to full compromise of affected WordPress sites.

    Technical Details

    The vulnerability arises from the plugin’s failure to properly validate the identity of the user initiating a password reset. As a result, an attacker can craft a request that changes the password of any account without authentication. This type of flaw is categorized under CWE-288: Authentication Bypass Using an Alternate Path or Channel.

    Once the password of a privileged user, such as an administrator, is changed, the attacker gains full access to the backend, allowing them to:

    • Modify or delete content
    • Install malicious plugins or themes
    • Exfiltrate sensitive data
    • Compromise other user accounts

    CVSS Score

    This vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical):

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High for Confidentiality, Integrity, and Availability

    Impacted Versions

    All versions of the InWave Jobs plugin up to and including 3.5.1 are affected. This includes installations integrated with themes like InJob.

    Mitigation

    • Immediately update to a patched version if available.
    • Disable the plugin temporarily if an update is not available.
    • Review your site’s user accounts for unauthorized changes or suspicious activity.
    • Reset administrator passwords after patching to ensure security.

    Conclusion

    This vulnerability emphasizes the importance of strict identity validation for all user-sensitive actions, especially password resets. A missing check in such a critical function can open the door to full system compromise. Site administrators using InWave Jobs should patch immediately and audit their sites for signs of intrusion.

    Credit for discovery goes to Tonn. For more information, visit the Wordfence advisory.

  • CVE-2025-1307: Critical Arbitrary File Upload in Newscrunch WordPress Theme

    Overview

    CVE-2025-1307 is a critical vulnerability in the Newscrunch theme for WordPress, affecting all versions up to and including 1.8.4. The issue allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server, potentially leading to full remote code execution.

    Technical Details

    The vulnerability stems from a missing capability check in the newscrunch_install_and_activate_plugin() function. This function fails to properly verify the permissions of the user invoking it. As a result, even low-privileged users, such as Subscribers, can exploit the flaw to upload malicious files—including PHP scripts—directly to the web server.

    This type of vulnerability is categorized as CWE-862: Missing Authorization. It demonstrates how insufficient access control can elevate minimal user privileges into a full-blown compromise, especially when combined with file upload functionality that lacks validation or execution restrictions.

    CVSS Score

    The issue has been scored as 9.8 (Critical) using CVSS v3.1:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High (Confidentiality, Integrity, Availability)

    Impacted Versions

    The vulnerability affects all versions of the Newscrunch theme up to and including 1.8.4. This includes default installations where subscriber accounts are enabled.

    Mitigation

    • Update the Newscrunch theme to the latest version that includes a fix for this issue.
    • Restrict user registration or limit file upload capabilities for non-admin roles as a temporary measure.
    • Scan your server for suspicious uploaded files, especially PHP scripts in non-standard directories.

    Conclusion

    This vulnerability is a reminder that themes and plugins must rigorously enforce capability checks, particularly when implementing file upload or plugin management features. Site administrators using Newscrunch should patch immediately and audit any low-privilege accounts for unusual activity.

    Thanks to Chloe Chamberland for identifying and reporting this vulnerability. More details can be found in the Wordfence advisory.

  • CVE-2025-1061: Critical Authentication Bypass in Nextend Social Login Pro via Apple OAuth

    Overview

    CVE-2025-1061 is a critical authentication bypass vulnerability in the Nextend Social Login Pro plugin for WordPress. Versions up to and including 3.1.16 are affected. The flaw allows unauthenticated attackers to log in as any existing user, including administrators, by exploiting weaknesses in the Apple OAuth authentication process.

    Technical Details

    The vulnerability stems from insufficient verification of the user data provided during the Apple OAuth authentication request. Specifically, the plugin fails to securely validate the identity of the user returned by Apple, enabling attackers who know or can guess an existing user’s email address to log in without needing their password or valid credentials.

    This issue is classified under CWE-288: Authentication Bypass Using an Alternate Path or Channel. By bypassing the standard login mechanisms, an attacker can impersonate site administrators or other privileged users, gaining full access to the WordPress dashboard and potentially compromising the entire website.

    CVSS Score

    The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical), indicating the highest level of severity:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High (Confidentiality, Integrity, Availability)

    Impacted Versions

    All versions of Nextend Social Login Pro up to and including 3.1.16 are affected. Site owners using this plugin should check their version immediately.

    Mitigation

    • Update to the latest version of the plugin that contains a patch for this issue.
    • Audit user access and check for signs of unauthorized logins, especially for administrator accounts.
    • Reconfigure or disable Apple OAuth login until you are certain the patch is in place and effective.

    Conclusion

    OAuth integrations simplify user login but must be handled with strict validation and security checks. This incident underscores the importance of never trusting identity assertions without verification. Plugin developers and site administrators alike should take extra precautions with third-party login providers.

    For more details, consult the official advisory on Wordfence or view the plugin documentation on Nextend.

  • CVE-2025-30206: Hardcoded JWT Secret in Dpanel Enables Full Remote Compromise

    Overview

    CVE-2025-30206 is a critical vulnerability in Dpanel, a Docker visualization and management panel. The flaw affects versions prior to 1.6.1 and stems from the use of a hardcoded JWT secret. This enables attackers to craft valid tokens and take full control of the system remotely.

    Technical Details

    The vulnerability arises due to insecure design choices including the use of a hardcoded cryptographic key (CWE-321), insecure default variable initialization (CWE-453), and embedded constants (CWE-547). By analyzing the source code, an attacker can identify the JWT secret used to sign authentication tokens. With this knowledge, they can generate valid JWTs, impersonate admin users, and bypass all authentication controls.

    Once authenticated, an attacker gains administrative access, potentially allowing them to:

    • Execute arbitrary commands on the host
    • Access and exfiltrate sensitive data
    • Escalate privileges
    • Move laterally across the network

    This vulnerability is especially dangerous in cloud or containerized environments where Dpanel is used to orchestrate Docker containers and images.

    CVSS Score

    The issue has been rated 9.8 (Critical) under CVSS v3.1:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on Confidentiality, Integrity, and Availability

    Affected Versions

    All Dpanel versions prior to 1.6.1 are affected. This includes default installations where the hardcoded secret remains unchanged.

    Mitigation

    • Update to Dpanel version 1.6.1, which includes a patch for the issue.
    • If an upgrade is not possible, replace the hardcoded JWT secret with a securely generated value and store it in a secure configuration file or secrets manager.
    • Audit existing Dpanel deployments to ensure secrets are not default or exposed.

    Conclusion

    Hardcoded secrets remain one of the most dangerous and avoidable security flaws. Projects managing access and infrastructure—like Dpanel—must ensure that sensitive credentials are properly generated, stored securely, and never embedded directly in source code. Organizations using Dpanel should take immediate action to mitigate the risk and prevent potential breaches.

    More details are available in the official advisory: GHSA-j752-cjcj-w847.

  • CVE-2025-47582: Critical PHP Object Injection in WPBot Pro WordPress Chatbot Plugin

    Overview

    On May 19, 2025, a critical vulnerability was disclosed under the identifier CVE-2025-47582. This vulnerability affects the WPBot Pro WordPress Chatbot plugin by QuantumCloud, in all versions up to and including 12.7.0. It involves a PHP Object Injection issue due to the unsafe deserialization of untrusted data. This flaw allows attackers to execute arbitrary code remotely and has received a CVSS v3.1 base score of 9.8 (Critical).

    Technical Details

    The core of the vulnerability lies in how the plugin handles serialized data. It fails to properly validate input before deserialization, making it possible for attackers to inject malicious PHP objects. This type of issue is categorized as CWE-502: Deserialization of Untrusted Data, which is a common and severe programming flaw in PHP applications.

    Attackers can exploit this vulnerability to gain full control over the affected website, access sensitive information, alter functionality, or cause a complete service outage. The attack pattern aligns with CAPEC-586: Object Injection, highlighting the risks of allowing deserialization without strict controls.

    CVSS Breakdown

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network – Can be exploited remotely.
    • Attack Complexity: Low – No special conditions required.
    • Privileges Required: None – No authentication needed.
    • User Interaction: None – Fully automated attack possible.
    • Confidentiality, Integrity, Availability: High – Complete system compromise possible.

    Impacted Versions

    All versions of WPBot Pro WordPress Chatbot up to and including 12.7.0 are affected. If you are using this plugin, immediate action is strongly recommended.

    Discovery and Credit

    This vulnerability was responsibly disclosed by Tran Nguyen Bao Khanh from VCI – VNPT. The advisory has been published and verified by Patchstack.

    Mitigation Steps

    • Update the WPBot Pro plugin to a version newer than 12.7.0, if available.
    • If no patch is yet available, disable the plugin until a secure version is released.
    • Consider deploying a Web Application Firewall (WAF) to mitigate attack attempts targeting serialized inputs.

    Conclusion

    PHP Object Injection vulnerabilities pose severe security threats, especially when they are exposed over the network without requiring authentication. Developers must avoid using unserialize() on user-supplied input or must implement robust validation controls. Website owners should maintain a regular update strategy and monitor vulnerability disclosures relevant to their stack.

    For further information, consult the official advisory on Patchstack.