[Security Vulnerability Alert] Six security vulnerabilities exist in WordPress extensions and website themes. Please identify and patch them as soon as possible.

 
2025/12/5 ~ 2026/6/5
View Count:20

Forwarded from National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202512-00000041

[Content Description]
Researchers have discovered six high-risk security vulnerabilities in WordPress extensions and web themes. Please confirm and patch them as soon as possible.

1. The Blubrry WordPress extension contains an Arbitrary File Upload vulnerability (CVE-2025-13536). A remote attacker with normal privileges can upload and execute backdoor programs on affected web servers, thereby achieving remote arbitrary code execution.

2. The FindAll Listing and Tiare Membership extensions, as well as the Tiger web theme, contain privilege escalation vulnerabilities (CVE-2025-13538, CVE-2025-13540, and CVE-2025-13675). Unauthenticated remote attackers can specify an administrator role during registration and exploit these vulnerabilities to gain website administrator privileges.

3. The FindAll Membership extension contains an authentication bypass vulnerability (CVE-2025-13539). Unauthenticated remote attackers, having gained access to a regular user account and administrator emails, can log into the system as administrators.

4. The StreamTube Core extension contains an arbitrary user password change vulnerability (CVE-2025-13615). Unauthenticated remote attackers can arbitrarily change website user passwords and thus take over administrator accounts. WordPress is a common website hosting system. Due to the large number of its extensions and themes, serious vulnerabilities occasionally appear, such as those listed in this alert.

If you are using WordPress, in addition to paying attention to updates to the core WordPress program, you should also monitor your extensions and themes, updating and patching them as needed. Furthermore, it is recommended to evaluate the necessity of your chosen extensions and themes; if unnecessary, remove them.

[Affected Platforms]
Blubrry PowerPress versions 11.15.2 and earlier
FindAll Listing versions 1.0.5 and earlier
FindAll Membership versions 1.0.4 and earlier
Tiare Membership versions 1.2 and earlier
StreamTube Core versions 4.78 and earlier
Tiger website theme versions 101.2.1 and earlier

[Recommended Actions]
Update Blubrry PowerPress to version 11.15.3 or later
Update FindAll Listing to version 1.1 or later
Update FindAll Membership to version 1.1 or later
Update Tiare Membership to version 1.3 or later
Update StreamTube Core to version 4.79 or later

For the Tiger website theme, please refer to the official instructions and take necessary measures. The URL is as follows: https://wwwwordfence.com/threat-intel/vulnerabilities/wordpress-themes/tiger-2/tiger-10121-unauthenticated-privilege-escalation

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-13536
2. https://nvd.nist.gov/vuln/detail/CVE-2025-13538
3. https://nvd.nist.gov/vuln/detail/CVE-2025-13539
4. https://nvd.nist.gov/vuln/detail/CVE-2025-13540
5. https://nvd.nist.gov/vuln/detail/CVE-2025-13615
6. https://nvd.nist.gov/vuln/detail/CVE-2025-13675

Files
None
【Back】
Top↑