Published On: Sep 29, 2025 15:03
Advisory No: TZCERT-SA-25-0112
Source: Wordfence
Software Affected: wpcasa, sf-booking, WooCommerce-Multi-Locations-Inventory-Management, podlove-podcasting-plugin-for-wordpress, uni-woo-custom-product-options-premium
WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute remote code.
WordPress plugins wpcasa, sf-booking, WooCommerce-Multi-Locations-Inventory-Management, podlove-podcasting-plugin-for-wordpress, and uni-woo-custom-product-options-premium are affected by the vulnerabilities tracked as CVE-2025-9321, CVE-2025-5948, CVE-2025-9054, CVE-2025-10147, and CVE-2025-10412 with CVSS scores of 9.8 each. The plugins are vulnerable due to insufficient input validation and restriction on the 'api_requests' function, improper validation of a user's identity before claiming a business when using the claim_business AJAX action, missing capability check on the 'wcmlim_settings_ajax_handler' function, missing file type validation in the 'move_as_original_file' function and misconfigured file type validation in the 'uni_cpo_upload_file' function. Successful exploitation of this vulnerability allows unauthenticated attackers to call arbitrary functions and execute code, and log in as any user, including admins.
Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.
WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
