[Content]
Forwarded from the National Institute of Cyber Security NISAC-200-202512-00000041

Researchers have discovered six high-risk security vulnerabilities in WordPress plugins and themes. Please promptly verify and apply the necessary fixes.

1.The Blubrry PowerPress plugin contains an Arbitrary File Upload vulnerability (CVE-2025-13536). A remote attacker with general privileges can upload and execute a web shell on the affected web server, thereby achieving remote arbitrary code execution.

2.The FindAll Listing and Tiare Membership plugins, as well as the Tiger theme, contain Privilege Escalation vulnerabilities (CVE-2025-13538, CVE-2025-13540, and CVE-2025-13675). A remote attacker without authentication can specify an administrator role during registration and subsequently exploit the vulnerabilities to obtain administrator privileges on the website.

3.The FindAll Membership plugin contains an Authentication Bypass vulnerability (CVE-2025-13539). A remote attacker without authentication, after obtaining a general user account and being able to access the administrator’s email, can log into the system as an administrator.

4.The StreamTube Core plugin contains an Arbitrary User Password Change vulnerability (CVE-2025-13615). A remote attacker without authentication can arbitrarily change the passwords of website users, thereby taking over administrator accounts. WordPress is a commonly used website-building system. Due to the large number of its plugins and themes, severe vulnerabilities may occasionally occur, such as the vulnerabilities listed in this alert. It is recommended that when using a WordPress system, in addition to paying attention to update information for the WordPress core itself, attention should also be given to plugins and themes, ensuring timely updates and patches. Furthermore, it is also recommended to evaluate the necessity of the plugins and themes in use; if not needed, removal is advised.

Information Sharing Level: WHITE (Information content can be publicly disclosed)

[Affected Platform]
Blubrry PowerPress versions 11.15.2 and earlier

FindAll Listing versions 1.0.5 and earlier

FindAll Membership versions 1.0.4 and earlier

Tiare Membership versions 1.2 and earlier

StreamTube Core versions 4.78 and earlier

Tiger theme versions 101.2.1 and earlier

[Recommended Actions]
Update Blubrry PowerPress to version 11.15.3 and later

Update FindAll Listing to version 1.1 and later

Update FindAll Membership to version 1.1 and later

Update Tiare Membership to version 1.3 and later

Update StreamTube Core to version 4.79 and later

For the Tiger theme, please refer to the official documentation and take the necessary measures. The URL is as follows:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/tiger-2/tiger-10121-unauthenticated-privilege-escalation

[Reference]
1. https://nvd.nist.gov/vuln/detail/CVE-2025-13536

2. https://nvd.nist.gov/vuln/detail/CVE-2025-13538

3. https://nvd.nist.gov/vuln/detail/CVE-2025-13539

4. https://nvd.nist.gov/vuln/detail/CVE-2025-13540

5. https://nvd.nist.gov/vuln/detail/CVE-2025-13615

6. https://nvd.nist.gov/vuln/detail/CVE-2025-13675