The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

[Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads

Published: 2025-12-02

Last Updated: 2025-12-01 23:27:08 UTC

by James Woodworth, SANS.edu BACS Student (Version: 1)

[This is a Guest Diary by James Woodworth, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.

In July 2025, many of us were introduced to the Microsoft SharePoint exploit chain known as ToolShell. ToolShell exploits the deserialization and authentication bypass vulnerabilities, CVE-2025-53770 and CVE-2025-53771, in on-premises SharePoint Server 2016, 2019, and Subscription editions. When the exploit chain was initially introduced, threat actors used payloads that attempted to upload web shells to a SharePoint server’s file system. The problem for threat actors was that the uploaded web shells were easily detectable by most Endpoint Detection and Response (EDR) solutions. So the threat actors upped the game and reworked their payloads to execute in-memory. This new technique made it more difficult for defenders to detect the execution of these new payloads.

Many articles have been written on the technical details of the ToolShell vulnerabilities, so I won’t go into an in-depth analysis here. If you want an in-depth analysis, check out the Securelist article, ToolShell: a story of five vulnerabilities in Microsoft SharePoint. What I will present to you in this post is a process using Zeek Network Security Monitor, DaemonLogger, and Wireshark to hunt for in-memory ToolShell exploit payloads and how to decode them for further analysis.

Review Zeek Logs

The first step in the hunt is to review the HTTP requests to our SharePoint server. We will do this by reviewing our Zeek http logs and looking for POST requests that contain the following indicators of a malicious request ...

Red the full entry: https://isc.sans.edu/diary/Guest+Diary+Hunting+for+SharePoint+InMemory+ToolShell+Payloads/32524/

Conflicts between URL mapping and URL based access control

Published: 2025-11-24

Last Updated: 2025-11-24 16:54:38 UTC

by Johannes Ullrich (Version: 1)

We continue to encounter high-profile vulnerabilities related to the use of URL mapping (or "aliases") with URL-based access control. Last week, we wrote about the Oracle Identity Manager vulnerability. I noticed some scans for an older vulnerability with similar roots today ...

This request attempts to exploit a vulnerability in Hitachi Vantara Pentaho Business Analytics Server (CVE-2022-43939 and CVE-2022-43769). In this case, the end of the URL (/require[.]js) bypasses authentication. However, the request is still processed by "ldapTreeNodeChildren", which is vulnerable to a template injection, causing the code to be executed. As last week, it appears that the "Chicago Rapper" Rondo botnet is again exploiting this vulnerability.

However, let's examine the underlying cause of this issue.

For many applications, it makes sense to exempt certain URLs from authentication. For example, help pages, a password reset page, or a customer support contact page may need to be accessible even if the user is not logged in.

Webservers offer a wide range of options to map URLs to files on the web server's file system. For example, for our API, we use this directive in Apache's configuration ...

Red the full entry: https://isc.sans.edu/diary/Conflicts+between+URL+mapping+and+URL+based+access+control/32518/

Use of CSS stuffing as an obfuscation technique?

Published: 2025-11-21

Last Updated: 2025-11-21 09:48:20 UTC

by Jan Kopriva (Version: 1)

From time to time, it can be instructive to look at generic phishing messages that are delivered to one’s inbox or that are caught by basic spam filters. Although one usually doesn’t find much of interest, sometimes these little excursions into what should be a run-of-the-mill collection of basic, commonly used phishing techniques can lead one to find something new and unusual. This was the case with one of the messages delivered to our handler inbox yesterday ...

Red the full entry: https://isc.sans.edu/diary/Use+of+CSS+stuffing+as+an+obfuscation+technique/32510/

2025 SANS Holiday Hack Challenge

Create your avatar, explore the new holiday adventure, and put your cybersecurity skills to the test through interactive challenges and puzzles. See if you’ve got what it takes to save the holidays.

https://www.sans.org/cyber-ranges/holiday-hack-challenge

New Features This Year:

• CTF-Only Mode – Jump straight into the technical action
• Micro-Challenges – 10–15 min puzzles for quick, festive wins
• Capstones – Longer, deeper challenges to truly level up

YARA-X 1.10.0 Release: Fix Warnings (2025.11.23)

https://isc.sans.edu/diary/YARAX+1100+Release+Fix+Warnings/32514/

Wireshark 4.4.1 Released (2025.11.23)

https://isc.sans.edu/diary/Wireshark+441+Released/32512/

Oracle Identity Manager Exploit Observation from September (CVE-2025-61757) (2025.11.20)

https://isc.sans.edu/diary/Oracle+Identity+Manager+Exploit+Observation+from+September+CVE202561757/32506/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-53770 - Microsoft SharePoint Server is vulnerable to code execution by unauthorized attackers through deserialization of untrusted data, with an exploit already in the wild for CVE-2025-53770.

Product: Microsoft SharePoint Server

CVSS Score: 0

** KEV since 2025-07-20 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53770

ISC Diary: https://isc.sans.edu/diary/32524

CVE-2025-53771 - Microsoft Office SharePoint is susceptible to path traversal which could enable a spoofing attack over a network.

Product: Microsoft Office SharePoint

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53771

ISC Diary: https://isc.sans.edu/diary/32524

CVE-2025-48633 - Android Framework contains an unspecified vulnerability that allows for information disclosure.

Product: Android Framework

CVSS Score: N/A

** KEV since 2025-12-02 **

CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-48633 (Reserved)

ISC Podcast: https://isc.sans.edu/podcastdetail/9720

Reference: https://source.android.com/docs/security/bulletin/2025-12-01

CVE-2025-48572 - Android Framework contains an unspecified vulnerability that allows for privilege escalation.

Product: Android Framework

CVSS Score: N/A

** KEV since 2025-12-02 **

CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-48572 (Reserved)

ISC Podcast: https://isc.sans.edu/podcastdetail/9720

Reference: https://source.android.com/docs/security/bulletin/2025-12-01

CVE-2025-58360 - GeoServer versions 2.26.0 to 2.26.2 and 2.25.6 are vulnerable to an XML External Entity (XXE) exploit through the /geoserver/wms endpoint allowing attackers to define external entities within XML requests.

Product: GeoServer

CVSS Score: 8.2

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58360

ISC Podcast: https://isc.sans.edu/podcastdetail/9718

NVD References:

- https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525

- https://osgeo-org.atlassian.net/browse/GEOS-11682

CVE-2025-60739 - Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before, Logic Version v6.00 - 2025_07_21 is vulnerable to CSRF, allowing remote attackers to execute arbitrary code via the /bh_web_backend component.

Product: Ilevia EVE X1 Server Firmware

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60739

CVE-2025-63729 - Syrotech SY-GPON-1110-WDONT allows attackers to extract sensitive SSL information from firmware.

Product: Syrotech SY-GPON-1110-WDONT SYRO_3.7L_3.1.02-240517

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63729

CVE-2025-33187 - NVIDIA DGX Spark GB10 has a vulnerability in SROOT, allowing attackers with privileged access to potentially execute code, disclose information, tamper with data, disrupt services, or escalate privileges.

Product: NVIDIA DGX OS

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-33187

NVD References:

- https://nvidia.custhelp.com/app/answers/detail/a_id/5720

- https://www.cve.org/CVERecord?id=CVE-2025-33187

CVE-2025-65084 - Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior are vulnerable to an Out-of-Bounds Write flaw that could lead to information disclosure or code execution.

Product: Ashlar-Vellum

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65084

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01

CVE-2025-65085 - Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior are vulnerable to a Heap-based Buffer Overflow flaw that could lead to data disclosure or code execution.

Product: Ashlar-Vellum

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65085

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01

CVE-2025-61168 - SIGB PMB v8.0.1.14 is vulnerable to remote code execution through unserializing arbitrary files in cms_rest.php.

Product: SIGB PMB

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61168

CVE-2025-64063 - Primakon Pi Portal 1.0.18 API endpoints lack sufficient authorization checks, allowing standard users to bypass UI restrictions, manipulate data outside their scope, and potentially compromise data integrity and confidentiality.

Product: Primakon Project Contract Management

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64063

CVE-2025-51742 through CVE-2025-51746 - JSH_ERP 2.3.1 by jishenghua is vulnerable to Fastjson deserialization

Product: JSH_ERP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51742

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51743

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51744

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51745

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51746

CVE-2025-64656 - Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network.

Product: Microsoft Application Gateway

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64656

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64656

CVE-2025-64657 - Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network.

Product: Microsoft Azure Application Gateway

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64657

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64657

CVE-2025-66022 - FACTION allows unauthenticated users to upload malicious extensions that can execute arbitrary system commands on the host running Faction before version 1.7.1, enabling remote code execution (RCE).

Product: FACTION PenTesting Report Generation and Collaboration Framework

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66022

CVE-2025-59390 - Apache Druid's Kerberos authenticator vulnerability allows for weak fallback secrets to be generated by `ThreadLocalRandom`, potentially enabling attackers to predict or brute force authentication cookies, leading to token forgery or authentication bypass.

Product: Apache Druid Kerberos authenticator

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59390

NVD References: https://www.openwall.com/lists/oss-security/2025/11/26/1

CVE-2025-62354 - Cursor allows unauthorized attackers to execute arbitrary code by improperly handling special elements in OS commands, leading to command injections.

Product: Cursor

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62354

CVE-2025-65236 - OpenCode Systems USSD Gateway OC Release: 5 is vulnerable to SQL injection via the Session ID parameter in the /occontrolpanel/index.php endpoint.

Product: OpenCode Systems USSD Gateway OC

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65236

CVE-2025-55469 - Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.

Product: youlai youlai-boot

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55469

CVE-2025-64126 - The application is vulnerable to OS command injection due to lack of proper input validation, allowing attackers to inject arbitrary commands.

Product: Zenitel TCIV-3+

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64126

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-64127 - The vulnerable product allows unauthenticated attackers to execute arbitrary commands remotely by incorporating user-supplied input into OS commands without proper validation.

Product: Zenitel TCIV-3+

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64127

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-64128 - The vulnerable product is susceptible to OS command injection due to inadequate validation of user inputs, potentially enabling attackers to insert arbitrary commands.

Product: Zenitel TCIV-3+

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64128

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-64130 - Zenitel TCIV-3+ is susceptible to a reflected cross-site scripting vulnerability, enabling remote attackers to run malicious JavaScript on victims' browsers.

Product: Zenitel TCIV-3+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64130

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03

CVE-2025-26155 - NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.

Product: NCP Secure Enterprise Client 13.18

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26155

CVE-2025-65669 - classroomio 0.1.13 allows students to delete courses from the Explore page without proper authorization, bypassing admin-only restrictions.

Product: classroomio 0.1.13

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65669

CVE-2025-50433 - Imonnit.com (2025-04-24) is vulnerable to malicious actors gaining escalated privileges and taking over arbitrary user accounts through a crafted password reset.

Product: Imonnit.com

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50433

CVE-2025-65276 - HashTech project is vulnerable to unauthenticated administrative access, allowing attackers to take full control of the admin dashboard and perform various malicious activities.

Product: HashTech

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65276

CVE-2025-40934 - XML-Sig versions 0.27 through 0.67 incorrectly validate XML files if signatures are omitted, allowing attackers to pass verification checks by removing the signature from the XML document.

Product: XML-Sig Perl

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40934

CVE-2025-12419 - Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 are vulnerable to an issue where an authenticated attacker with team creation privileges can take over a user account by manipulating authentication data during the OAuth completion flow.

Product: Mattermost

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12419

CVE-2025-12421 - Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 have a vulnerability that allows an authenticated user to perform account takeover via a specially crafted email address when switching authentication methods.

Product: Mattermost

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12421

CVE-2025-64314 - Permission control vulnerability in the memory management module.

Impact: Successful exploitation of this vulnerability may affect confidentiality.

Product: Huawei Harmonyos

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64314

CVE-2025-65112 - PubNet is vulnerable to an identity spoofing and privilege escalation issue in version 1.1.3 due to unauthenticated users being able to upload packages as any user by providing arbitrary author-id values.

Product: PubNet Dart & Flutter package service

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65112

CVE-2025-35028 - HexStrike AI MCP server allows attackers to execute commands with root privileges by providing a command-line argument starting with a semi-colon to an API endpoint created by the EnhancedCommandExecutor class.

Product: HexStrike AI MCP server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-35028

CVE-2025-12106 - OpenVPN fails to properly validate arguments, leading to a heap buffer over-read vulnerability.

Product: OpenVPN

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12106

CVE-2025-63525 - Blood Bank Management System 1.0 is vulnerable to authenticated attackers gaining elevated privileges through a crafted request in delete.php.

Product: Shridharshukl Blood_Bank_Management_System 1.0

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63525

CVE-2025-63531 - Blood Bank Management System 1.0's receiverLogin.php component is vulnerable to SQL injection, enabling attackers to bypass authentication and access the system through manipulation of user-supplied input.

Product: Shridharshukl Blood_Bank_Management_System 1.0

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63531

CVE-2025-63532 - Blood Bank Management System 1.0's cancel.php component allows attackers to inject SQL code through the search field, bypass authentication, and gain unauthorized access.

Product: Shridharshukl Blood_Bank_Management_System 1.0

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63532

CVE-2025-63535 - Blood Bank Management System 1.0 abs.php allows attackers to inject SQL code through the search field, leading to unauthorized system access.

Product: Shridharshukl Blood_Bank_Management_System 1.0

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63535

CVE-2025-3500 - Avast Antivirus (25.1.981.6) on Windows is vulnerable to Integer Overflow and Privilege Escalation before version 25.3.

Product: Avast Antivirus

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3500

CVE-2025-8351 - Avast Antivirus on MacOS is vulnerable to a Heap-based Buffer Overflow, Out-of-bounds Read issue during file scanning, potentially enabling Local Code Execution or Denial-of-Service of the antivirus engine process between versions 8.3.70.94 and 8.3.70.98.

Product: Avast Antivirus

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8351

CVE-2025-51682 - mJobtime 15.7.2 has a client-side authorization vulnerability allowing attackers to modify code and access administrative features.

Product: mJobtime 15.7.2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51682

CVE-2025-65836 - PublicCMS V5.202506.b is vulnerable to SSRF. in the chat interface of SimpleAiAdminController.

Product: PublicCMS

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-65836

CVE-2025-66401 - MCP Watch is vulnerable to command injection in the cloneRepo method due to user-supplied githubUrl not being sanitized before passing to execSync.

Product: MCP Watch

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66401

CVE-2025-41742 - Sprecher Automations SPRECON-E-C, SPRECON-E-P, SPRECON-E-T3 are vulnerable to unauthorized remote attacks due to default cryptographic keys, enabling attackers to manipulate projects and data or access devices through remote maintenance.

Product: Sprecher Automations SPRECON-E series

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41742

NVD References: https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511042_de.pdf

CVE-2025-41744 - Sprecher Automations SPRECON-E series has default cryptographic keys that can be exploited by remote attackers, compromising data confidentiality and integrity.

Product: Sprecher Automations SPRECON-E series

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41744

NVD References: https://www.sprecher-automation.com/fileadmin/itSecurity/PDF/SPR-2511043_de.pdf

CVE-2025-6389 - The Sneeit Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 8.3 via the sneeit_articles_pagination_callback() function, allowing unauthenticated attackers to execute code on the server and potentially create new administrative user accounts.

Product: WordPress Sneeit Framework plugin

Active Installations: Unknown. Update to version 8.4, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6389

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b5ed8a39-50b0-4acf-9054-ba389c49f345?source=cve

CVE-2025-13559 - The EduKart Pro plugin for WordPress allows unauthenticated attackers to gain administrator access by exploiting a Privilege Escalation vulnerability.

Product: EduKart Pro WordPress

Active Installations: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13559

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve

CVE-2025-13595 - The CIBELES AI plugin for WordPress allows unauthenticated attackers to upload arbitrary files, leading to potential remote code execution.

Product: CIBELES AI plugin for WordPress

Active Installations: Unknown. Update to version 1.10.9, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13595

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e89a1c-7606-4391-a389-fa18d0967046?source=cve

CVE-2025-13538 - The FindAll Listing plugin for WordPress allows unauthenticated attackers to gain administrator access by exploiting a Privilege Escalation vulnerability in versions up to 1.0.5.

Product: WordPress FindAll Listing plugin

Active Installations: Unknown. Update to version 1.1, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13538

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/14981949-271c-4f98-a6a1-b00619f1436d?source=cve

CVE-2025-13539 - The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4, allowing unauthenticated attackers to potentially log in as administrative users.

Product: WordPress FindAll Membership plugin

Active Installations: Unknown. Update to version 1.1, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13539

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/a856a96a-68d2-462d-b523-840668980807?source=cve

CVE-2025-13540 - The Tiare Membership plugin for WordPress permits Privilege Escalation up to version 1.2 by allowing unauthenticated attackers to register as administrators through the 'tiare_membership_init_rest_api_register' function.

Product: Tiare Membership plugin for WordPress

Active Installations: Unknown. Update to version 1.3, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13540

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6cf01a38-1fba-4c93-b3fa-acfdd5b19410?source=cve

CVE-2025-13675 - The Tiger theme for WordPress is vulnerable to Privilege Escalation allowing unauthenticated attackers to register as administrators.

Product: WordPress Tiger theme

Active Installations: Unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13675

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/4750b57e-7d8d-49d7-bbbf-46483eb97bd9?source=cve

CVE-2025-13615 - The StreamTube Core plugin for WordPress allows unauthenticated attackers to change user passwords and potentially take over administrator accounts due to a vulnerability in versions up to 4.78.

Product: StreamTube WordPress Core plugin

Active Installations: Unknown. Update to version 4.79, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13615

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b812a0d7-99a1-4f61-b78a-78cea6a2ada1?source=cve

CVE-2025-13542 - The DesignThemes LMS plugin for WordPress allows unauthenticated attackers to achieve Privilege Escalation by registering as administrators.

Product: DesignThemes LMS plugin for WordPress

Active Installations: Unknown. Update to version 1.0.5, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13542

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve