Business and Enterprise Solutions

In Quantic Social Image Hover plugin for WordPress versions up to and including 1.0.8 a medium severity vulnerability CVE-2025-13360 was identified. This vulnerability is due to missing nonce validation on the settings update functionality, which allows unauthenticated attackers to update the plugin’s settings and inject malicious web scripts via a forged request if they can trick a site administrator into performing an action such as clicking on a link. To address this issue, users should upgrade the plugin to version 1.0.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13360.

In SureMail – SMTP and Email Logs plugin for WordPress versions up to and including 1.9.0 a high severity vulnerability CVE-2025-13516 was detected. This vulnerability is due to unrestricted upload of files with dangerous types via the save_file() function, which saves email attachments to a web-accessible directory without proper validation. Although the plugin attempts to prevent PHP execution using an Apache .htaccess file, this protection is ineffective on nginx, IIS, Lighttpd, or misconfigured Apache servers. This flaw allows unauthenticated attackers to upload malicious PHP files and execute arbitrary code by accessing the files via predictable filenames. To address this issue, users should upgrade the plugin to version 1.9.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13516.

In HUSKY – Products Filter Professional for WooCommerce plugin for WordPress versions up to and including 1.3.7.2 a medium severity vulnerability CVE-2025-13109 was detected. This vulnerability allows authenticated attackers with subscriber-level access and above to exploit missing validation in the woof_add_query and woof_remove_query functions. Successful exploitation enables attackers to insert or remove arbitrary saved search queries in any user’s profile, including administrators, leading to unauthorized modification of user data. To address this issue, users should upgrade the plugin to version 1.3.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13109.

In Mautic versions 4.0 through 4.4.17, 5.0 through 5.2.8, and 6.0 through 6.0.6 a low critical vulnerability CVE-2025-13828 was detected. This vulnerability allows a non-privileged user without access to the Marketplace to install and uninstall arbitrary composer packages, even when the “enable composer based update” setting is disabled. This can lead to malicious code installation, enabling privilege escalation on the platform. To address this issue, users should upgrade Mautic to versions 4.4.18, 5.2.9, 6.0.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13828.

In Mautic versions 4.0 through 4.4.17, 5.0 through 5.2.8, and 6.0 through 6.0.6 a high severity vulnerability CVE-2025-13827 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files via the GrapesJS Builder due to lack of file type restrictions. If the media folder is not properly restricted from executing files, this can lead to remote code execution. To address this issue, users should upgrade Mautic to versions 4.4.18, 5.2.9, 6.0.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13827.

In Sneeit Framework plugin for WordPress versions up to and including 8.3 a critical severity vulnerability CVE-2025-6389 was detected. This vulnerability allows unauthenticated attackers to achieve Remote Code Execution through the sneeit_articles_pagination_callback() function, which processes untrusted user input and passes it to call_user_func(). Successful exploitation enables attackers to execute arbitrary code on the server, potentially leading to backdoor injection or creation of new administrative accounts. To address this issue, users should upgrade the plugin to version 8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6389.

In StreamTube Core plugin for WordPress versions up to and including 4.78 a critical severity vulnerability CVE-2025-13615 was detected. This vulnerability allows unauthenticated attackers to bypass authorization and change user passwords, potentially leading to takeover of administrator accounts. The vulnerability exists because the plugin provides user-controlled access to objects without proper authorization checks. Note that this exploit requires the ‘registration password fields’ to be enabled in theme options. To address this issue, users should upgrade the plugin to a fixed version once available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13615.

In Houzez theme for WordPress versions up to and including 4.1.6 a medium severity vulnerability CVE-2025-9191 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to perform PHP Object Injection via deserialization of untrusted input in saved-search-item.php. While no known POP chain is present in the theme itself, the vulnerability can lead to arbitrary file deletion, sensitive data retrieval, or code execution if another plugin or theme containing a POP chain is installed on the site. To address this issue, users should upgrade the theme to version 4.1.7 or larer. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9191.

In Houzez theme for WordPress versions up to and including 4.1.6 a medium severity vulnerability CVE-2025-9163 was detected. This vulnerability allows unauthenticated attackers to perform Stored Cross-Site Scripting (XSS) by uploading malicious SVG files due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. Exploitation can lead to arbitrary script execution whenever a user accesses the injected SVG file. To address this issue, users should upgrade the theme to version 4.1.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9163.