Here are the CVE updates for the week of February 17th through the 23rd.
CRITICAL SEVERITY VULNERABILITIES
CarSpot WordPress Theme Privilege Escalation Vulnerability | CVE-2024-12860
Description: A vulnerability in the CarSpot – Dealership WordPress Classified Theme allows unauthenticated attackers to bypass authentication and take over user accounts, including administrator accounts. This flaw arises from improper token validation when updating user passwords, allowing attackers to change any user’s password and gain full access to their account.
Potential Impacts:
- Unauthorized Access: Attackers can reset administrator passwords and take control of the website.
- Privilege Escalation: Malicious users can elevate their access rights.
- Website Takeover: Attackers can modify site content, install malware, or delete critical data.
- User Data Exposure: Sensitive information may be accessed or leaked.
Mitigation Recommendations:
- Update the Theme: Apply any available patches or switch to a secure version.
- Enable Two-Factor Authentication (2FA): Adds an extra layer of security to prevent unauthorized access.
- Restrict Password Reset Functionality: Ensure password changes require user verification.
- Monitor Site Activity: Track login attempts and password reset requests for suspicious behavior.
- Use a Security Plugin: Implement security measures to detect and prevent unauthorized access.
ChurchCRM Time-Based Blind SQL Injection Vulnerability | CVE-2025-1023
Description: A time-based blind SQL Injection vulnerability exists in ChurchCRM 5.13.0 and earlier, specifically in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries. This vulnerability enables attackers to execute arbitrary SQL commands, potentially compromising the integrity and confidentiality of the database.
Potential Impacts:
- Data Exfiltration: Attackers can retrieve sensitive information from the database.
- Data Manipulation: Malicious actors can modify or delete critical records.
- Unauthorized Access: Exploiting the vulnerability may allow privilege escalation and administrative access.
- System Disruption: SQL injection attacks can lead to denial of service by corrupting or locking database tables.
Mitigation Recommendations:
- Update ChurchCRM: Apply security patches or upgrade to a secure version.
- Sanitize User Inputs: Use prepared statements and parameterized queries to prevent SQL injection.
- Restrict Database Privileges: Limit permissions to prevent unauthorized data access or modification.
- Implement Web Application Firewall (WAF): Block malicious SQL injection attempts in real-time.
- Monitor Database Logs: Regularly review logs for suspicious SQL queries and unauthorized access attempts.
HIGH SEVERITY VULNERABILITIES
SonicWall SonicOS SSLVPN Improper Authentication Vulnerability | CVE-2024-53704 (CISA KEV): A vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication. This flaw could enable unauthorized access to VPN-protected resources, potentially compromising sensitive data and network security.
Craft CMS Code Injection Vulnerability | CVE-2025-23209 (CISA KEV): A remote code execution (RCE) vulnerability has been identified in Craft CMS versions 4 and 5, which can be exploited if the security key has already been compromised. Attackers with access to the compromised security key can execute arbitrary code on the affected system. This vulnerability has been patched in Craft 5.5.8 and 4.13.8.
Microsoft Power Pages Improper Access Control Vulnerability | CVE-2025-24989 (CISA KEV): Microsoft Power Pages contains an improper access control vulnerability that allows an unauthorized attacker to elevate privileges over a network. This flaw may enable an attacker to bypass user registration controls, potentially gaining unauthorized access to restricted areas or performing privileged actions.
MEDIUM SEVERITY VULNERABILITIES
Palo Alto PAN-OS Authentication Bypass Vulnerability | CVE-2025-0108 (CISA KEV): A vulnerability in Palo Alto Networks PAN-OS allows an attacker with network access to bypass authentication on the management web interface. This flaw lets unauthenticated attackers invoke specific PHP scripts, which, while not enabling remote code execution, could compromise the integrity and confidentiality of the system.
Palo Alto Networks PAN-OS File Read Vulnerability | CVE-2025-0111 (CISA KEV): A vulnerability in Palo Alto Networks PAN-OS allows an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are accessible to the “nobody” user. While this flaw does not enable remote code execution, it could expose sensitive system files, potentially leading to further exploitation.
SQL Injection in Real Estate Property Management System | CVE-2025-1379: A critical SQL injection vulnerability has been identified in the Real Estate Property Management System 1.0, specifically within the /Admin/CustomerReport.php file. An attacker can manipulate the city parameter to inject malicious SQL code, potentially leading to unauthorized database access.
Stored Cross-Site Scripting (XSS) in Online Payments Plugin for WordPress | CVE-2024-11895: A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress, affecting all versions up to and including 3.20.0. This vulnerability is caused by insufficient input sanitization and output escaping within the plugin’s shortcodes.
Cisco Secure Email Gateway Email Filtering Bypass Vulnerability | CVE-2025-20153: A vulnerability in the email filtering mechanism of Cisco Secure Email Gateway allows an unauthenticated, remote attacker to bypass security rules and deliver emails that should have been blocked. This issue arises due to improper handling of email traffic by the affected device, enabling an attacker to craft and send emails that evade filtering controls.
Apple SecureROM Arbitrary Code Execution Vulnerability | CVE-2019-8900: A vulnerability in the SecureROM of certain Apple devices allows an unauthenticated local attacker to execute arbitrary code upon booting the device. Exploiting this flaw requires physical access to the device and involves placing it into Device Firmware Update (DFU) mode while connected to a computer. The exploit is not persistent, meaning that a reboot will erase any modifications made during an attack session.