Our news and updates

In Calculated Fields Form plugin for WordPress versions prior to 5.2.62 a low severity vulnerability CVE-2024-12273 was detected. This vulnerability allows high-privilege users, such as admins, to perform Stored Cross-Site Scripting (XSS) attacks due to improper sanitization and escaping of certain settings, even when the unfiltered_html capability is disallowed (e.g., in multisite setups). To address this issue, users should upgrade Calculated Fields Form plugin to versions 5.2.62 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12273.

In Admin and Site Enhancements (ASE) plugin for WordPress versions prior to 7.6.10 a medium severity vulnerability CVE-2024-13688 was detected. This vulnerability allows attackers to bypass the Password Protection feature by exploiting a hardcoded password through a crafted request. To address this issue, users should upgrade Admin and Site Enhancements (ASE) plugin to versions 7.6.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13688.

In Edumall theme for WordPress versions up to and including 4.2.4 a high severity vulnerability CVE-2025-2101 was detected. This vulnerability allows attackers to include and execute arbitrary PHP files on the server, potentially leading to code execution, bypassing access controls, or exposing sensitive information. To address this issue, users should upgrade Edumall theme to versions 4.3.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2101.

In The Anps Theme plugin for WordPress versions up to and including 1.1.1 a medium severity vulnerability CVE-2024-13812 was detected. This vulnerability allows attackers to execute arbitrary shortcodes without authentication, potentially leading to site compromise. To address this issue, users should upgrade The Anps Theme plugin to versions 1.1.25 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13812.

In Aeropage Sync for Airtable plugin for WordPress versions up to and including 3.2.0 a medium severity vulnerability CVE-2025-3915 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to delete arbitrary posts. To address this issue, users should upgrade Aeropage Sync for Airtable plugin to versions 3.3.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3915.

In Add Custom Page Template plugin versions up to and including 2.0.1 a high severity vulnerability CVE-2025-3491 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to execute arbitrary code on the server via insufficient sanitization of the ‘template_name’ parameter. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3491.

In Jupiter X Core plugin versions up to and including 4.8.11 a high severity vulnerability CVE-2025-2105 was detected. This vulnerability allows attackers to inject PHP objects via deserialization of untrusted input from the ‘file’ parameter of the ‘raven_download_file’ function, and if a POP chain exists through another plugin or theme, it may enable file deletion, data retrieval, or code execution. To address this issue, users should upgrade Jupiter X Core plugin to versions 4.8.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2105.

In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.10 a medium severity vulnerability CVE-2025-41395 was detected. This issue arises from improper validation of `props` in the `RetrospectivePost` custom post type in the Playbooks plugin, allowing attackers to craft posts that can trigger a denial of service (DoS) across the web app for all users. To address this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-41395.

In Mattermost versions 10.4.x ≤ 10.4.2, 10.5.x ≤ 10.5.0 and 9.11.x ≤ 9.11.10 a medium severity vulnerability CVE-2025-35965 was identified. The issue lies in the failure to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, allowing attackers to create tasks with excessive triggered actions that can overwhelm the server and cause a denial-of-service (DoS) condition. To resolve this issue, users should upgrade Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-35965.