30 New WordPress related vulnerabilities - April 28, 2025

List of newly disclosed WordPress-related vulnerabilities:

Plugin/Theme	Vulnerability Summary	CVSS	CVE
aeropage–Aeropage Sync for Airtable	Arbitrary file upload (RCE risk)	8.8	CVE-2025-3914
aonetheme–Service Finder Bookings	Privilege escalation via social login	9.8	CVE-2025-2470
arkenon–Frontend Login and Registration Blocks	Privilege escalation via password reset flaw	8.8	CVE-2025-3607
artbees–Jupiter X Core	PHP Object Injection (potential for RCE if POP chain present)	8.1	CVE-2025-2105
cajka–Verification SMS with TargetSMS	Remote code execution via callable functions	8.3	CVE-2025-3776
dorinabc–Create Custom Forms for WordPress	Arbitrary shortcode execution	7.3	CVE-2025-2801
eyecix–JobSearch WP Job Board	Authentication bypass via social login	8.1	CVE-2024-11917
felipe152–Integração entre Eduzz e WooCommerce	Role escalation to administrator	8.8	CVE-2025-3906
jauharixelion–Xelion Webchat	Privilege escalation via default role modification	8.8	CVE-2025-3058
joedolson–My Tickets Accessible Event Ticketing	Privilege escalation	8.8	CVE-2025-3761
kiranpatil353–Add Custom Page Template	PHP Code Injection (Admin level)	7.2	CVE-2025-3491
ludwigyou–WPMasterToolKit	Directory traversal (Admin level)	7.2	CVE-2025-3300
mra13–WordPress Simple Shopping Cart	Sensitive data exposure	8.2	CVE-2025-3529
mra13–WordPress Simple Shopping Cart	Product price manipulation	7.5	CVE-2025-3530
neoslab–Database Toolset	Arbitrary file deletion (possible RCE)	9.1	CVE-2025-3065
Odin_Design–Vikinger	Privilege escalation via user meta	8.8	CVE-2025-2238
SeaTheme–BM Content Builder	Privilege escalation via unauthorized option updates	8.8	CVE-2025-1279
TeconceTheme–Mayosis Core	Arbitrary file read	7.5	CVE-2025-1565
ThemeMove–EduMall Theme	Local file inclusion (LFI -> possible RCE)	8.1	CVE-2025-2101
v1rustyle–Flynax Bridge	Password reset takeover	9.8	CVE-2025-3603
v1rustyle–Flynax Bridge	Email change takeover	9.8	CVE-2025-3604
wp-configurator–Configurator Theme Core	Privilege escalation	8.8	CVE-2025-3101
wpeverest–User Registration	Reflected XSS	7.1	CVE-2025-39400
WPoperation–Arrival	PHP Local File Inclusion (LFI)	7.5	CVE-2025-32921
WPoperation–Opstore	PHP Local File Inclusion (LFI)	7.5	CVE-2025-39387
WPQuark–eForm	Stored XSS	7.2	CVE-2025-1294
wpsoul–Greenshift Animation and Page Builder Blocks	Arbitrary file upload	8.8	CVE-2025-3616
WPXpro–Xpro Elementor Addons - Pro	Remote code execution via insecure widget	8.8	CVE-2024-13808
buildwps–Prevent Direct Access Protect WordPress Files	Unauthorized file access	5.4	CVE-2025-3861
devitemsllc–ShopLentor	SSRF vulnerability	6.5	CVE-2025-3775

---

Major WordPress Vulnerabilities Disclosed by CISA (April 28, 2025 Summary)

WordPress, being the world’s most popular content management system, continues to be a major target for cyberattacks. In the latest CISA vulnerability bulletin, 30 WordPress-related vulnerabilities have been disclosed. These flaws range from remote code execution (RCE) and privilege escalation to local file inclusion (LFI) and cross-site scripting (XSS).

Below, we detail the major vulnerabilities, beginning with the most critical based on CVSS score and real-world exploitation potential:

---

1. Privilege Escalation in Service Finder Bookings (CVE-2025-2470)

• CVSS Score: 9.8

• Summary:
  The Service Finder Bookings plugin allows attackers to escalate privileges via the “nsl_registration_store_extra_input” function when combined with the Nextend Social Login plugin.
  Attackers can register an account with Administrator privileges without authorization.

• Impact:
  Full site takeover.

• Mitigation:
  Update the plugin immediately and disable social login if unnecessary.

---

2. Privilege Escalation in Flynax Bridge (CVE-2025-3603 and CVE-2025-3604)

• CVSS Score: 9.8

• Summary:
  The Flynax Bridge plugin has two critical flaws:

  • Password reset takeover without authentication.
  • Email address change without authentication.

• Impact:
  Full administrator account hijacking.

• Mitigation:
  Urgently update the plugin or disable it until patched.

---

3. Arbitrary File Deletion via Database Toolset (CVE-2025-3065)

• CVSS Score: 9.1

• Summary:
  The Database Toolset plugin allows unauthenticated users to delete arbitrary files, such as wp-config.php, leading to remote code execution potential.

• Impact:
  Full site compromise.

• Mitigation:
  Immediate update or disable the plugin until verified safe.

---

4. Remote Code Execution in Aeropage Sync for Airtable (CVE-2025-3914)

• CVSS Score: 8.8

• Summary:
  Arbitrary file uploads are possible via a missing file type validation, which may lead to remote code execution.

• Impact:
  Attackers can upload malicious scripts.

• Mitigation:
  Patch the plugin; ensure file upload functions are properly validated.

---

5. Remote Code Execution in Xpro Elementor Addons - Pro (CVE-2024-13808)

• CVSS Score: 8.8

• Summary:
  Exploitable via a custom PHP widget that only uses client-side controls for access management, allowing Contributor-level users to execute code on the server.

• Impact:
  Server-side compromise.

• Mitigation:
  Remove the plugin or update immediately.

---

6. Arbitrary Password Change in Frontend Login and Registration Blocks (CVE-2025-3607)

• CVSS Score: 8.8

• Summary:
  Authenticated attackers can reset arbitrary user passwords, including administrators.

• Impact:
  Full administrative access without knowledge of credentials.

• Mitigation:
  Apply vendor patches immediately.

---

7. Arbitrary Password Reset in Xelion Webchat (CVE-2025-3058)

• CVSS Score: 8.8

• Summary:
  Subscribers can escalate privileges to Administrator by altering site options.

• Impact:
  Total site compromise.

• Mitigation:
  Update the plugin or apply immediate security hardening.

---

8. Privilege Escalation via My Tickets Accessible Event Ticketing (CVE-2025-3761)

• CVSS Score: 8.8

• Summary:
  Flawed access control allows users to modify their roles to Administrator.

• Impact:
  Complete administrative access for basic users.

• Mitigation:
  Update and audit role management processes.

---

9. Privilege Escalation via BM Content Builder (CVE-2025-1279)

• CVSS Score: 8.8

• Summary:
  Attackers can modify arbitrary site options and enable open registration with Administrator roles.

• Impact:
  Mass account creation with Administrator rights.

• Mitigation:
  Update or disable the plugin.

---

Other Notable WordPress Plugin Vulnerabilities:

• Jupiter X Core (CVE-2025-2105): PHP Object Injection (needs POP chain).
• Verification SMS with TargetSMS (CVE-2025-3776): Remote code execution via callables.
• Greenshift Blocks (CVE-2025-3616): Arbitrary file upload.
• JobSearch WP Job Board (CVE-2024-11917): Authentication bypass using social login.
• Simple Shopping Cart (CVE-2025-3529/3530): Sensitive data exposure and price tampering.

---

⚙️ Recommendations for WordPress Site Owners

• Patch All Affected Plugins Immediately.
• Disable or Remove Abandoned or Unmaintained Plugins.
• Audit Site Roles Regularly to ensure no privilege escalation occurred.
• Restrict File Uploads and enforce MIME type validation.
• Implement WAFs (Web Application Firewalls) for added protection.
• Monitor File Integrity to detect unauthorized changes.
• Backup Regularly in case of full compromise recovery needs.