Free Daily Cyber Security Newsletter

Subject: CyberAlerts Daily Newsletter - March 16, 2025

In today's cybersecurity update, we highlight several critical and high-severity vulnerabilities impacting various widely used applications and plugins, particularly within the WordPress ecosystem. Notably, the "Multiple Shipping And Billing Address For Woocommerce" plugin is affected by a critical SQL Injection vulnerability (CVE-2025-26875) with a CVSS score of 9.3, allowing attackers to execute arbitrary SQL commands, necessitating immediate updates for affected versions up to 1.3. Similarly, the "Booking and Rental Manager" plugin has a high-severity vulnerability (CVE-2025-26921) allowing PHP Object Injection, impacting versions up to 2.2.6 (CVSS 8.8). Additional high-severity vulnerabilities include the "Fresh Framework" plugin (CVE-2025-26961), which suffers from unauthenticated broken access control (CVSS 8.6), and the "tj-actions changed-files" GitHub Action (CVE-2025-30066), where attackers can exploit logs to discover secrets (CVSS 8.6). There are also significant SQL Injection vulnerabilities affecting several other WordPress plugins, including "FS Poster" (CVE-2025-26978, CVSS 8.5), "All In Menu" (CVE-2025-27281, CVSS 8.5), and "PrivateContent" (CVE-2025-26976 and CVE-2025-26969, both CVSS 8.5 and 8.3 respectively). For SUSE Linux users, vulnerabilities (CVE-2024-11168) with medium severity (CVSS 6.3) have been identified in SLES12 and SLES15 due to improper validation of IPv6 addresses, which require updating the affected packages to mitigate the risk. Organizations are strongly advised to prioritize updates for these vulnerabilities, especially those with critical and high-severity ratings, to protect their systems from potential exploitation.