Karl.Fail

Tag: score:9.8

  • CVE-2025-47581: Critical PHP Object Injection in WordPress Events Calendar Registration & Tickets Plugin

    Overview

    On May 19, 2025, a critical vulnerability was published under the identifier CVE-2025-47581. This vulnerability affects the popular WordPress plugin Events Calendar Registration & Tickets by Elbisnero, up to version 2.6.0. The flaw is a PHP Object Injection vulnerability resulting from unsafe deserialization of untrusted data. It has received a CVSS v3.1 base score of 9.8 (Critical).

    Technical Details

    The vulnerability stems from improper handling of serialized input within the plugin’s codebase. Specifically, the plugin deserializes data without adequate validation or sanitation, allowing attackers to inject arbitrary PHP objects. This can be exploited to execute arbitrary code or manipulate application behavior.

    According to the Common Weakness Enumeration, this issue maps to CWE-502: Deserialization of Untrusted Data. The vulnerability is cataloged under the CAPEC-586: Object Injection attack pattern, highlighting the security implications of insecure deserialization techniques.

    The CVSS v3.1 vector string for this vulnerability is:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This means:

    • Attack Vector (AV): Network – Can be exploited remotely.
    • Attack Complexity (AC): Low – Easily executed without complex conditions.
    • Privileges Required (PR): None – No authentication required.
    • User Interaction (UI): None – No user involvement necessary.
    • Confidentiality, Integrity, Availability Impact: High – Severe consequences on data and service integrity.

    Impacted Versions

    The vulnerability affects all versions of WordPress Events Calendar Registration & Tickets up to and including version 2.6.0. According to the vendor’s disclosure, newer versions may not be impacted, but users are strongly advised to verify and apply updates promptly.

    Discovery and Credits

    The vulnerability was discovered by Bonds from the Patchstack Alliance, a group dedicated to identifying and mitigating vulnerabilities in WordPress ecosystems. The issue was responsibly disclosed and publicly documented by Patchstack.

    Mitigation

    If you are using a vulnerable version (≤ 2.6.0) of the plugin:

    • Immediately update to a patched version, if available.
    • If no fix is available, consider disabling or replacing the plugin temporarily.
    • Employ a Web Application Firewall (WAF) to detect and block suspicious serialized data patterns.

    Conclusion

    This vulnerability is a stark reminder of the risks associated with deserialization and untrusted user input. Plugin developers should avoid unsafe PHP functions like unserialize() without proper controls and adopt secure coding practices. Website administrators must stay vigilant by keeping plugins up to date and monitoring for new disclosures regularly.

    For further details, see the official advisory on Patchstack.

  • CVE-2025-4389: Critical File Upload Vulnerability in Crawlomatic Plugin for WordPress

    Overview

    A critical vulnerability identified as CVE-2025-4389 affects the Crawlomatic Multipage Scraper Post Generator plugin for WordPress, up to and including version 2.6.8.1. Discovered by Friderika Baranyai and disclosed on May 16, 2025, this flaw enables unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution (RCE).

    Technical Details

    The vulnerability resides in the crawlomatic_generate_featured_image() function, which lacks proper file type validation. As a result, attackers can upload malicious files directly to the affected server without any authentication. This violates best practices in secure coding, particularly around file handling and input validation.

    This issue is categorized under CWE-434: Unrestricted Upload of File with Dangerous Type, which involves failure to restrict uploads to safe file types, opening the door for execution of hostile code on the server.

    CVSS Score and Impact

    The vulnerability has been rated CRITICAL with a CVSS v3.1 base score of 9.8. The vector string is:

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Key characteristics of this score include:

    • Exploitable remotely over a network (AV:N)
    • Low attack complexity (AC:L)
    • No privileges or user interaction required (PR:N, UI:N)
    • High impact on confidentiality, integrity, and availability (C:H, I:H, A:H)

    Impacted Versions

    All versions of the plugin up to and including 2.6.8.1 are affected. Users running these versions are highly encouraged to update or disable the plugin immediately.

    Mitigation and Recommendations

    Users should consult the plugin vendor for updates or security patches. In the absence of an immediate patch, disabling the plugin is advised. For reference and further reading, see:

    CISA’s SSVC analysis identifies the vulnerability as automatable with a total technical impact, further underlining the urgency of remediation efforts.

    Conclusion

    CVE-2025-4389 is a severe security risk for WordPress sites using the Crawlomatic plugin. The ability for unauthenticated users to upload files with no validation represents a significant attack vector. Site administrators must act swiftly to mitigate this threat.

  • CVE-2025-30016: Critical Authentication Bypass in SAP Financial Consolidation

    Overview

    On April 8, 2025, SAP disclosed a critical vulnerability identified as CVE-2025-30016 in its Financial Consolidation software (version FINANCE 1010). This flaw allows an unauthenticated attacker to gain unauthorized access to the Admin account, compromising the entire system’s security posture.

    Technical Details

    The vulnerability stems from improper authentication mechanisms within SAP Financial Consolidation. Specifically, the system fails to adequately enforce authentication controls, enabling attackers on the network to bypass security and access high-privilege functionality.

    This issue is classified under CWE-921: Storage of Sensitive Data in a Mechanism without Access Control. It implies that sensitive data, such as admin credentials or access tokens, might be exposed or improperly protected, thereby increasing the risk of exploitation.

    CVSS Score and Impact

    The vulnerability has received a CVSS v3.1 base score of 9.8, reflecting its severity and ease of exploitation. The vector string is:

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This score indicates:

    • Attack is remotely exploitable over a network (AV:N)
    • Low attack complexity (AC:L)
    • No privileges required (PR:N)
    • No user interaction needed (UI:N)
    • High impact on confidentiality, integrity, and availability (C:H/I:H/A:H)

    Impacted Software

    The affected product is SAP Financial Consolidation FINANCE 1010. All deployments running this version should be considered at risk. This vulnerability is critical for enterprises relying on this software for financial reporting and data management.

    Mitigation and Advisory

    SAP has issued an advisory and relevant security patches. Organizations using SAP Financial Consolidation should immediately review the following resources:

    Although there is no known exploitation in the wild, CISA’s SSVC (Stakeholder-Specific Vulnerability Categorization) marks the technical impact as total and the vulnerability as automatable — indicating a high potential risk if not mitigated.

    Conclusion

    CVE-2025-30016 presents a serious security risk to organizations using SAP Financial Consolidation. With unauthenticated remote access to administrative functions, attackers could cause severe data breaches or system outages. Immediate patching and system audits are strongly advised.

  • CVE-2025-30727: Critical Unauthenticated Remote Takeover in Oracle Scripting

    Overview

    CVE-2025-30727 is a critical vulnerability affecting the Oracle Scripting component of Oracle E-Business Suite, specifically within the iSurvey Module. Versions from 12.2.3 to 12.2.14 are impacted. The flaw allows an unauthenticated attacker with HTTP network access to completely compromise the system.

    What Is the Issue?

    This vulnerability is attributed to CWE-306: Missing Authentication for Critical Function. It represents a significant security lapse where critical functionality within Oracle Scripting can be accessed without proper authentication, enabling full system takeover.

    According to Oracle’s advisory, exploitation does not require any user interaction or prior privileges. The attacker can leverage this over the network via HTTP, making the vulnerability easily exploitable and particularly dangerous in externally accessible environments.

    Technical Details

    The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical). The vector is:

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High for Confidentiality, Integrity, and Availability

    SSVC Assessment

    The CISA Stakeholder-Specific Vulnerability Categorization (SSVC) analysis further highlights the urgency:

    • Exploitation: Not yet observed
    • Automatable: No
    • Technical Impact: Total

    This suggests that while the vulnerability has not yet been exploited, the potential impact is complete system compromise, urging immediate remediation.

    Mitigation Recommendations

    Oracle has issued patches as part of its April 2025 Critical Patch Update. Organizations using Oracle Scripting 12.2.3 to 12.2.14 should:

    • Apply the latest patches immediately
    • Restrict network access to the iSurvey module if immediate patching is not possible
    • Monitor for unusual access patterns or administrative actions

    References

    This CVE serves as a crucial reminder that authentication controls must be enforced on all critical application components—especially those exposed via HTTP.

  • CVE-2025-30387: Critical Path Traversal in Azure AI Document Intelligence Studio

    Overview

    CVE-2025-30387 is a critical vulnerability affecting Microsoft Azure AI Document Intelligence Studio (on-premises). Discovered in versions from 1.0.0 up to (but not including) 1.0.03019.1-official-7241c17a, this flaw allows unauthorized attackers to escalate privileges remotely by exploiting a path traversal weakness.

    What is Path Traversal?

    Path Traversal, categorized under CWE-22, occurs when attackers manipulate file paths in input fields to access files or directories outside the intended scope. This can result in unauthorized access to system files, configuration data, or in this case, elevation of privilege within the affected application.

    Technical Details

    The issue stems from improper validation of user-supplied file paths in the Document Intelligence Studio On-Prem edition. An attacker on the network can exploit this by crafting specially formed paths to escape restricted directories and access sensitive files or execute unauthorized actions.

    This vulnerability has been scored with a CVSS v3.1 base score of 9.8 (Critical) and is described by the following vector:

    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High for Confidentiality, Integrity, and Availability

    SSVC Assessment

    According to the CISA Stakeholder-Specific Vulnerability Categorization (SSVC):

    • No exploitation has been observed yet
    • The attack is automatable
    • The technical impact is considered total

    While not currently exploited, the vulnerability poses significant risk due to its ease of exploitation and potential for full system compromise.

    Mitigation

    Microsoft has addressed the issue in version 1.0.03019.1-official-7241c17a of Azure AI Document Intelligence Studio. Organizations using earlier versions should:

    • Upgrade to the latest patched release immediately
    • Restrict network access to the affected service
    • Review audit logs for any signs of unusual file access or privilege elevation attempts

    References

    This case underlines the importance of thorough input validation and timely patching, especially in on-prem environments that may be less frequently updated.

  • CVE-2025-30392: Critical Privilege Escalation in Microsoft Azure AI Bot Service

    Overview

    CVE-2025-30392 is a critical security vulnerability identified in the Microsoft Azure AI Bot Service. The flaw, publicly disclosed on April 30, 2025, is classified as an Improper Authorization issue (CWE-285), enabling unauthorized attackers to elevate their privileges remotely over a network.

    Understanding Improper Authorization

    CWE-285: Improper Authorization describes a condition where an application does not adequately enforce access controls. This flaw allows attackers to perform actions that should require higher privileges, bypassing security boundaries put in place by developers or administrators.

    In the case of Azure AI Bot Service, this vulnerability means that unauthenticated users could potentially gain access to privileged functions, compromising confidentiality, integrity, and availability of affected systems.

    Technical Details

    The vulnerability carries a CVSS v3.1 score of 9.8 (Critical) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This scoring indicates:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
    • Impact: High for Confidentiality, Integrity, and Availability

    No authentication or user interaction is needed to exploit this vulnerability, making it highly dangerous for cloud-based services like Azure bots.

    SSVC and Exploitation Risk

    According to the Stakeholder-Specific Vulnerability Categorization (SSVC) by CISA:

    • Exploitation: Not observed in the wild
    • Automatable: Yes
    • Technical Impact: Total

    This analysis highlights that, while no exploitation has yet been detected, the ease of automation and severity of impact necessitate urgent attention.

    Mitigation Recommendations

    Organizations leveraging the Azure AI Bot Service should take the following steps:

    • Apply any security patches or configuration changes provided by Microsoft immediately
    • Review bot permissions and API access controls
    • Audit logs for unusual privilege changes or unauthorized access

    References

    This vulnerability is a reminder of the risks associated with cloud-native services and the importance of rigorous access control validation.

  • CVE-2025-23914: Critical PHP Object Injection in Muzaara Google Ads Report Plugin

    Overview

    CVE-2025-23914 highlights a critical vulnerability in the Muzaara Google Ads Report plugin for WordPress, affecting versions up to and including 3.1. The issue allows PHP Object Injection through the deserialization of untrusted data, potentially enabling full system compromise.

    What is PHP Object Injection?

    PHP Object Injection is a security vulnerability that occurs when user-controllable data is passed to the unserialize() function in PHP. This allows attackers to inject maliciously crafted objects, leading to the execution of code, data manipulation, or even complete application takeover—especially if vulnerable classes with magic methods are present.

    This flaw is categorized under CWE-502: Deserialization of Untrusted Data and maps to CAPEC-586: Object Injection.

    Technical Details

    The plugin fails to properly validate or sanitize serialized data inputs, exposing an unsafe deserialization vector. Since this vulnerability:

    • Requires no authentication
    • Is exploitable over the network
    • Needs no user interaction

    It presents an exceptionally high risk for WordPress site operators.

    CVSS Score and Severity

    The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical):

    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Attack Vector: Network
    • Privileges Required: None
    • User Interaction: None
    • Impact: High on confidentiality, integrity, and availability

    This indicates a high-impact vulnerability that can be exploited remotely with minimal effort.

    SSVC Assessment

    Based on the Stakeholder-Specific Vulnerability Categorization (SSVC) by CISA, the flaw is:

    • Not yet known to be exploited
    • Highly automatable
    • Technically impactful to a total extent

    These indicators underscore the urgent need for immediate remediation.

    Mitigation

    Administrators using the Muzaara Google Ads Report plugin should:

    • Immediately update or disable the plugin if no patch is available
    • Audit their WordPress installation for suspicious serialized payloads
    • Implement WAF rules to block known deserialization exploits

    References

    Due to the high severity and ease of exploitation, organizations should treat this vulnerability as a top-priority fix.