Our news and updates

In Sneeit Framework plugin for WordPress versions up to and including 8.3 a critical severity vulnerability CVE-2025-6389 was detected. This vulnerability allows unauthenticated attackers to achieve Remote Code Execution through the sneeit_articles_pagination_callback() function, which processes untrusted user input and passes it to call_user_func(). Successful exploitation enables attackers to execute arbitrary code on the server, potentially leading to backdoor injection or creation of new administrative accounts. To address this issue, users should upgrade the plugin to version 8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6389.

In StreamTube Core plugin for WordPress versions up to and including 4.78 a critical severity vulnerability CVE-2025-13615 was detected. This vulnerability allows unauthenticated attackers to bypass authorization and change user passwords, potentially leading to takeover of administrator accounts. The vulnerability exists because the plugin provides user-controlled access to objects without proper authorization checks. Note that this exploit requires the ‘registration password fields’ to be enabled in theme options. To address this issue, users should upgrade the plugin to a fixed version once available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13615.

In Houzez theme for WordPress versions up to and including 4.1.6 a medium severity vulnerability CVE-2025-9191 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to perform PHP Object Injection via deserialization of untrusted input in saved-search-item.php. While no known POP chain is present in the theme itself, the vulnerability can lead to arbitrary file deletion, sensitive data retrieval, or code execution if another plugin or theme containing a POP chain is installed on the site. To address this issue, users should upgrade the theme to version 4.1.7 or larer. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9191.

In Houzez theme for WordPress versions up to and including 4.1.6 a medium severity vulnerability CVE-2025-9163 was detected. This vulnerability allows unauthenticated attackers to perform Stored Cross-Site Scripting (XSS) by uploading malicious SVG files due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. Exploitation can lead to arbitrary script execution whenever a user accesses the injected SVG file. To address this issue, users should upgrade the theme to version 4.1.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9163.

In OpenSearch versions prior to 3.2.0 a high severity vulnerability CVE-2025-9624 was detected. This vulnerability allows attackers to cause a denial of service (DoS) by submitting complex query_string inputs. To address this issue, users should upgrade OpenSearch to version 3.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9624.

In Mattermost versions 11.0.x through 11.0.2, 10.12.x through 10.12.1, 10.11.x through 10.11.4, and 10.5.x through 10.5.12 a medium severity vulnerability CVE-2025-12559 was detected. This vulnerability allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint due to failure to sanitize team email addresses to be visible only to Team Admins. To address this issue, users should upgrade Mattermost to versions 11.0.3, 10.12.2, 10.11.5, 10.5.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12559.

In Mattermost versions 11.0.x through 11.0.2, 10.12.x through 10.12.1, 10.11.x through 10.11.4, and 10.5.x through 10.5.12 a critical severity vulnerability CVE-2025-12421 was detected. This vulnerability allows an authenticated user to perform account takeover via a specially crafted email address when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. This is due to failure to verify that the token used during the code exchange originates from the same authentication flow. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled). To address this issue, users should upgrade Mattermost to versions 11.0.3, 10.12.2, 10.11.5, 10.5.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12421.

In Mattermost versions 10.12.x through 10.12.1, 10.11.x through 10.11.4, 10.5.x through 10.5.12, and 11.0.x through 11.0.3 a critical severity vulnerability CVE-2025-12419 was detected. This vulnerability allows an authenticated attacker with team creation privileges to take over a user account by manipulating authentication data during the OAuth completion flow. This is due to improper validation of OAuth state tokens during OpenID Connect authentication. The vulnerability requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system, with one user never having logged into Mattermost. To address this issue, users should upgrade Mattermost to versions 10.12.2, 10.11.5, 10.5.13, and 11.0.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12419.

In SKT PayPal for WooCommerce plugin for WordPress versions up to and including 1.4 a high severity vulnerability CVE-2025-7820 was detected. This vulnerability allows unauthenticated attackers to bypass payment processing by exploiting the plugin’s enforcement of client-side controls instead of server-side controls. As a result, attackers can make confirmed purchases without actually paying. To address this issue, users should upgrade to a fixed version once available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7820.