April 23, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
CVE-2025-27888 – Apache Druid Vulnerability
March 24, 2025SvcStealer Malware Targeting Users to Extract Sensitive Data from Browsers and Applications – Active IOCs
March 24, 2025CVE-2025-27888 – Apache Druid Vulnerability
March 24, 2025SvcStealer Malware Targeting Users to Extract Sensitive Data from Browsers and Applications – Active IOCs
March 24, 2025
Severity
High
Analysis Summary
CVE-2025-2539 CVSS:7.5
File Away Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability check on the ajax() function.
CVE-2024-12920 CVSS:8.8
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions in all versions up to, and including, 4.7.
CVE-2024-13933 CVSS:8.8
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions.
CVE-2024-13790 CVSS:9.8
The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data,
CVE-2024-13410 CVSS:9.8
CozyStay and TinySalt Plugins for WordPress could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a PHP object injection vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVE-2024-13412 CVSS:7.5
The CozyStay theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handler function in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to execute arbitrary actions.
Impact
- Security Bypass
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2025-2539
CVE-2024-12920
CVE-2024-13933
CVE-2024-13790
CVE-2024-13410
CVE-2024-13412
Affected Vendors
- WordPress
Affected Products
- WordPress File Away Plugin for WordPress 3.9.9.0.1
- Chimpstudio FoodBakery | Delivery Restaurant Directory WordPress Theme - *
- ThemeMove MinimogWP – The High Converting eCommerce WordPress Theme - *
- WordPress TinySalt Theme for WordPress 3.9.0
- WordPress CozyStay Theme for WordPress 1.7.0
Remediation
Upgrade to the latest version, available from the WordPress Website.
