【資安漏洞預警】WordPress擴充程式與網頁主題存在6個安全漏洞,請儘速確認並進行修補
[Security Vulnerability Alert] Six security vulnerabilities exist in WordPress extensions and website themes. Please identify and patch them as soon as possible.

發布單位:圖資處數位服務組
日期範圍:2025/12/5 ~ 2026/6/5
 
發布單位:圖資處數位服務組
日期範圍:2025/12/5 ~ 2026/6/5
行政 行政公告
全體

轉發 國家資安資訊分享與分析中心 資安訊息警訊 NISAC-200-202512-00000041

[內容說明]
研究人員發現WordPress擴充程式與網頁主題存在6個高風險安全漏洞,請儘速確認並進行修補。
1. Blubrry PowerPress擴充程式存在任意檔案上傳(Arbitrary File Upload)漏洞(CVE-2025-13536),取得一般權限之遠端攻擊者可於受影響網頁伺服器上傳並執行網頁後門程式,進而達成遠端執行任意程式碼。

2. FindAll Listing與Tiare Membership擴充程式及Tiger網頁主題存在權限提升(Privilege Escalation)漏洞(CVE-2025-13538、CVE-2025-13540及CVE-2025-13675),未經身分鑑別之遠端攻擊可於註冊時指定管理者角色,進而利用漏洞取得網站管理員權限。

3. FindAll Membership擴充程式存在身分鑑別繞過(Authentication Bypass)漏洞(CVE-2025-13539),未經身分鑑別之遠端攻擊者於取得一般使用者帳號且能存取管理員電子郵件之情況下,以管理員身分登入系統。

4. StreamTube Core擴充程式存在任意使用者密碼變更(Arbitrary User Password Change)漏洞(CVE-2025-13615),未經身分鑑別之遠端攻擊者可任意變更網站使用者密碼,進而接管管理員帳號。

WordPress為常見網站架設系統,由於其擴充程式與網頁布景主題數量眾多,因此偶有出現嚴重漏洞情況,如本次警訊所列之幾項漏洞。
建議若有使用WordPress系統時,除留意WordPres本身核心程式之更新資訊外,針對擴充程式網頁布景主題亦須關注,適時更新修補,此外亦建議評估所用之擴充程式網頁布景主題之必要性,如無需求,建議移除。

[影響平台]
Blubrry PowerPress 11.15.2(含)以前版本
FindAll Listing 1.0.5(含)以前版本
FindAll Membership 1.0.4(含)以前版本
Tiare Membership 1.2(含)以前版本
StreamTube Core 4.78(含)以前版本
Tiger網頁主題 101.2.1(含)以前版本

[建議措施]
更新Blubrry PowerPress至11.15.3(含)以後版本
更新FindAll Listing至1.1(含)以後版本
更新FindAll Membership至1.1(含)以後版本
更新Tiare Membership至1.3(含)以後版本
更新StreamTube Core至4.79(含)以前後版本

Tiger網頁主題請參考官方說明採取必要措施,網址如下: https://wwwwordfence.com/threat-intel/vulnerabilities/wordpress-themes/tiger-2/tiger-10121-unauthenticated-privilege-escalation

[參考資料]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-13536
2. https://nvd.nist.gov/vuln/detail/CVE-2025-13538
3. https://nvd.nist.gov/vuln/detail/CVE-2025-13539
4. https://nvd.nist.gov/vuln/detail/CVE-2025-13540
5. https://nvd.nist.gov/vuln/detail/CVE-2025-13615
6. https://nvd.nist.gov/vuln/detail/CVE-2025-13675

Forwarded from National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202512-00000041

[Content Description]
Researchers have discovered six high-risk security vulnerabilities in WordPress extensions and web themes. Please confirm and patch them as soon as possible.

1. The Blubrry WordPress extension contains an Arbitrary File Upload vulnerability (CVE-2025-13536). A remote attacker with normal privileges can upload and execute backdoor programs on affected web servers, thereby achieving remote arbitrary code execution.

2. The FindAll Listing and Tiare Membership extensions, as well as the Tiger web theme, contain privilege escalation vulnerabilities (CVE-2025-13538, CVE-2025-13540, and CVE-2025-13675). Unauthenticated remote attackers can specify an administrator role during registration and exploit these vulnerabilities to gain website administrator privileges.

3. The FindAll Membership extension contains an authentication bypass vulnerability (CVE-2025-13539). Unauthenticated remote attackers, having gained access to a regular user account and administrator emails, can log into the system as administrators.

4. The StreamTube Core extension contains an arbitrary user password change vulnerability (CVE-2025-13615). Unauthenticated remote attackers can arbitrarily change website user passwords and thus take over administrator accounts. WordPress is a common website hosting system. Due to the large number of its extensions and themes, serious vulnerabilities occasionally appear, such as those listed in this alert.

If you are using WordPress, in addition to paying attention to updates to the core WordPress program, you should also monitor your extensions and themes, updating and patching them as needed. Furthermore, it is recommended to evaluate the necessity of your chosen extensions and themes; if unnecessary, remove them.

[Affected Platforms]
Blubrry PowerPress versions 11.15.2 and earlier
FindAll Listing versions 1.0.5 and earlier
FindAll Membership versions 1.0.4 and earlier
Tiare Membership versions 1.2 and earlier
StreamTube Core versions 4.78 and earlier
Tiger website theme versions 101.2.1 and earlier

[Recommended Actions]
Update Blubrry PowerPress to version 11.15.3 or later
Update FindAll Listing to version 1.1 or later
Update FindAll Membership to version 1.1 or later
Update Tiare Membership to version 1.3 or later
Update StreamTube Core to version 4.79 or later

For the Tiger website theme, please refer to the official instructions and take necessary measures. The URL is as follows: https://wwwwordfence.com/threat-intel/vulnerabilities/wordpress-themes/tiger-2/tiger-10121-unauthenticated-privilege-escalation

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-13536
2. https://nvd.nist.gov/vuln/detail/CVE-2025-13538
3. https://nvd.nist.gov/vuln/detail/CVE-2025-13539
4. https://nvd.nist.gov/vuln/detail/CVE-2025-13540
5. https://nvd.nist.gov/vuln/detail/CVE-2025-13615
6. https://nvd.nist.gov/vuln/detail/CVE-2025-13675


相關附件
【返回上頁】
Top↑