Articles
Newsflash
15 Jul 2025 Business and Enterprise Solutions
WordPress: CSRF Vulnerability Allows Arbitrary File Deletion and Potential RCE in Restrict File Access Plugin

In Restrict File Access plugin for WordPress versions up to and including 1.1.2 a high severity vulnerability CVE-2025-7667 was detected. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server via a forged request due to missing or incorrect nonce validation on the ‘restrict-file-access’ page, which can lead to remote code execution if a critical file such as wp-config.php is deleted. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7667.

Read more
CMS
15 Jul 2025 Business and Enterprise Solutions
WordPress: Stored XSS via update_delay_days Parameter in Companion Auto Update Plugin

In Companion Auto Update plugin for WordPress versions up to and including 3.9.2 a medium severity vulnerability CVE-2025-4369 was detected. This vulnerability allows admin-level users to inject scripts via the update_delay_days parameter, affecting multi-site setups with unfiltered_html disabled. To address this issue, users should update Companion Auto Update plugin to versions 3.9.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4369.

Read more
CMS
15 Jul 2025 Business and Enterprise Solutions
WordPress: Stored XSS via Testimonial Custom Fields in Strong Testimonials Plugin

In Strong Testimonials plugin for WordPress versions up to and including 3.2.11 a medium severity vulnerability CVE-2025-7367 was detected. This vulnerability allows authenticated attackers with Author-level access and above to inject arbitrary web scripts via Testimonial Custom Fields due to insufficient input sanitization and output escaping. To address this issue, users should update Strong Testimonials plugin to versions 3.2.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7367.

Read more
CMS
15 Jul 2025 DevOps
PHP: SOAP Extension Vulnerability via Oversized XML Namespace Prefix

In PHP versions 8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23 and 8.4.* before 8.4.10 a medium severity vulnerability CVE-2025-6491 was detected. This vulnerability allows attackers to cause a null pointer dereference by parsing XML data with an overly large (>2GB) XML namespace prefix in SOAP extensions, potentially leading to crashes and impacting server availability. To address this issue, users should upgrade PHP to versions 8.1.33, 8.2.29, 8.3.23 or 8.4.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6491.

Read more
Web Development
15 Jul 2025 DevOps
PHP: Improper Error Handling in PostgreSQL Escaping Functions

In PHP versions 8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, and 8.4.* a medium severity vulnerability CVE-2025-1735 was detected. This vulnerability is caused by improper error handling in the pgsql and pdo_pgsql escaping functions, which fail to check for errors returned by the underlying quoting mechanisms, potentially leading to crashes if the PostgreSQL server rejects an invalid string. To address this issue, users should upgrade PHP to versions 8.1.33, 8.2.29, 8.3.23 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1735.

Read more
Web Development
14 Jul 2025 Business and Enterprise Solutions
WordPress: Unauthenticated File Access in WordPress Age Verification Plugin

In the Premium Age Verification / Restriction for WordPress plugin, all versions up to and including 3.0.2 a critical severity vulnerability CVE-2025-7401 was detected. This vulnerability allows unauthenticated attackers to read from or write to arbitrary files on the server due to insufficiently protected remote support functionality in remote_tunnel.php. This may lead to exposure of sensitive information or remote code execution. Currently the is no fix for this vulnerability. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7401.

Read more
CMS
Case Studies