Critical Vulnerabilities Exposed: Act Now!

Below is an overview of several critical vulnerabilities that have recently been disclosed. This summary includes details such as the CVE ID, a brief description of each issue, and the severity rating. For full details and updates, you can check the respective vendor advisories and the National Vulnerability Database.

──────────────────────────────
1. GitLab – CVE-2025-9642
• Issue: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting).
• Affected Versions: GitLab CE/EE from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1.
• Impact: An attacker may inject malicious content that could lead to account takeover.
• Severity: 8.7 (HIGH)
• More info: [NVD – CVE-2025-9642](https://nvd.nist.gov/vuln/detail/CVE-2025-9642) | [GitLab Release Notes](https://about.gitlab.com/releases/)

──────────────────────────────
2. WordPress WooCommerce Designer Pro Plugin – CVE-2025-60219
• Issue: Unrestricted file upload allowing dangerous file types, enabling an attacker to upload a web shell.
• Affected Versions: WooCommerce Designer Pro: from n/a through 1.9.24.
• Severity: 10.0 (CRITICAL)
• More info: [NVD – CVE-2025-60219](https://nvd.nist.gov/vuln/detail/CVE-2025-60219)

──────────────────────────────
3. WordPress AR For WordPress Plugin – CVE-2025-60156
• Issue: Cross-Site Request Forgery (CSRF) that may allow an attacker to upload a web shell.
• Affected Versions: AR For WordPress: from n/a through 7.98.
• Severity: 9.6 (CRITICAL)
• More info: [NVD – CVE-2025-60156](https://nvd.nist.gov/vuln/detail/CVE-2025-60156)

──────────────────────────────
4. WordPress Testimonial Slider Plugin – CVE-2025-60126
• Issue: PHP Local File Inclusion through improper filename handling in include/require statements.
• Affected Versions: Testimonial Slider: from n/a through 3.5.8.6.
• Severity: 8.8 (HIGH)
• More info: [NVD – CVE-2025-60126](https://nvd.nist.gov/vuln/detail/CVE-2025-60126)

──────────────────────────────
5. WordPress PGS Core Plugin – CVE-2025-60118
• Issue: SQL Injection due to improper neutralization of SQL special elements.
• Affected Versions: PGS Core: from n/a through 5.9.0.
• Severity: 8.5 (HIGH)
• More info: [NVD – CVE-2025-60118](https://nvd.nist.gov/vuln/detail/CVE-2025-60118)

──────────────────────────────
6. WordPress LambertGroup – AllInOne Content Slider Plugin – CVE-2025-60109
• Issue: Blind SQL Injection vulnerability stemming from improper handling of special SQL elements.
• Affected Versions: LambertGroup – AllInOne – Content Slider: from n/a through 3.8.
• Severity: 8.5 (HIGH)
• More info: [NVD – CVE-2025-60109](https://nvd.nist.gov/vuln/detail/CVE-2025-60109)

──────────────────────────────
7. WordPress AllInOne Banner Rotator Plugin – CVE-2025-60110
• Issue: SQL Injection vulnerability allowing unauthenticated intervention via SQL command manipulation.
• Affected Versions: AllInOne – Banner Rotator: from n/a through 3.8.
• Severity: 8.5 (HIGH)
• More info: [NVD – CVE-2025-60110](https://nvd.nist.gov/vuln/detail/CVE-2025-60110)

──────────────────────────────
8. WordPress Javo Core Plugin – CVE-2025-60111
• Issue: CSRF vulnerability that may allow authentication bypass.
• Affected Versions: Javo Core: from n/a through 3.0.0.266.
• Severity: 8.8 (HIGH)
• More info: [NVD – CVE-2025-60111](https://nvd.nist.gov/vuln/detail/CVE-2025-60111)

──────────────────────────────
9. WordPress LambertGroup – AllInOne Banner with Playlist Plugin – CVE-2025-60107
• Issue: Blind SQL Injection caused by improper SQL special elements handling.
• Affected Versions: LambertGroup – AllInOne – Banner with Playlist: from n/a through 3.8.
• Severity: 8.5 (HIGH)
• More info: [NVD – CVE-2025-60107](https://nvd.nist.gov/vuln/detail/CVE-2025-60107)

──────────────────────────────
10. WordPress LambertGroup – AllInOne Banner with Thumbnails Plugin – CVE-2025-60108
• Issue: Blind SQL Injection vulnerability similar in nature to the playlist banner variant.
• Affected Versions: LambertGroup – AllInOne – Banner with Thumbnails: from n/a through 3.8.
• Severity: 8.5 (HIGH)
• More info: [NVD – CVE-2025-60108](https://nvd.nist.gov/vuln/detail/CVE-2025-60108)

──────────────────────────────
11. Cisco Vulnerabilities (e.g., ASA Firewall Zero-Day, Cisco ASA, FTD vulnerabilities CVE-2025-20333 and CVE-2025-20363)
• Issues: Multiple flaws affecting Cisco’s Adaptive Security Appliances and other firewall products. The vulnerabilities allow remote code execution and buffer overflow issues through improper validation of HTTP/HTTPS input.
• Impact: These vulnerabilities can lead to arbitrary code execution, complete device compromise, and are actively exploited by threat actors.
• Severity: Ranging up to 9.9 (CRITICAL)
• More info: [Cisco Security Advisories](https://tools.cisco.com/security/center/publicationListing.x) | [CISA Advisory on Cisco Zero-Days](https://www.cisa.gov/news/2023/05/23/cisa-alerts-federal-agencies-widespread-attacks-cisco-zero-days)

──────────────────────────────
12. Unitree Devices – CVE-2025-60017
• Issue: Root OS command injection via parameters in hostapd_restart.sh on Unitree Go2, G1, H1, and B2 devices.
• Impact: Successful exploitation grants full control over the device.
• Severity: 8.2 (HIGH)
• More info: [NVD – CVE-2025-60017](https://nvd.nist.gov/vuln/detail/CVE-2025-60017)

──────────────────────────────
13. TOTOLINK X6000R – CVE-2025-11005
• Issue: OS Command Injection vulnerability due to improper neutralization of special characters in the command parameters.
• Affected Versions: X6000R through V9.4.0cu.1458_B20250708.
• Severity: 9.3 (CRITICAL)
• More info: [NVD – CVE-2025-11005](https://nvd.nist.gov/vuln/detail/CVE-2025-11005)

──────────────────────────────
14. Zenitel Gateways – CVE-2025-59817 and CVE-2025-59816 & CVE-2025-59815 & CVE-2025-59814
• Issues:
– CVE-2025-59817: Authenticated Remote Code Execution in zForm_auto_config exposing full device control.
– CVE-2025-59816: Authenticated UNION-based SQL injection in the search field of the billing admin database exposing plaintext credentials.
– CVE-2025-59815: Authenticated Remote Code Execution in the Billing Administration portal.
– CVE-2025-59814: Unauthenticated SQL injection in the password field allowing full database read access.
• Severities: Ranging from 8.1 (HIGH) to 9.8 (CRITICAL)
• More info:
 • [NVD – CVE-2025-59817](https://nvd.nist.gov/vuln/detail/CVE-2025-59817)
 • [NVD – CVE-2025-59816](https://nvd.nist.gov/vuln/detail/CVE-2025-59816)
 • [NVD – CVE-2025-59815](https://nvd.nist.gov/vuln/detail/CVE-2025-59815)
 • [NVD – CVE-2025-59814](https://nvd.nist.gov/vuln/detail/CVE-2025-59814)

──────────────────────────────
15. Dingtian DT-R002 – CVE-2025-10880 and CVE-2025-10879
• Issues:
– CVE-2025-10880: Insufficiently Protected Credentials vulnerability exposing proprietary protocol passwords.
– CVE-2025-10879: Allows unauthenticated retrieval of a user’s username.
• Severity: Both at 8.7 (HIGH)
• More info:
 • [NVD – CVE-2025-10880](https://nvd.nist.gov/vuln/detail/CVE-2025-10880)
 • [NVD – CVE-2025-10879](https://nvd.nist.gov/vuln/detail/CVE-2025-10879)

──────────────────────────────
16. Nagios XI – CVE-2025-34227
• Issue: Authenticated command injection vulnerability within various database configuration wizards (MongoDB, MySQL, Postgres), allowing shell command execution as the nagios user.
• Affected Versions: Versions prior to 2026R1.
• Severity: 8.6 (HIGH)
• More info: [NVD – CVE-2025-34227](https://nvd.nist.gov/vuln/detail/CVE-2025-34227)

──────────────────────────────
17. FlagForgeCTF – CVE-2025-59841
• Issue: Improper session handling allowing continued access to protected endpoints after logout, including reuse of CSRF tokens.
• Affected Versions: 2.2.0 up to but not including 2.3.1.
• Severity: 9.8 (CRITICAL)
• More info: [NVD – CVE-2025-59841](https://nvd.nist.gov/vuln/detail/CVE-2025-59841)

──────────────────────────────
18. UTT Devices – CVE-2025-10953
• Issue: Buffer overflow in the /goform/formApMail file triggered through manipulation of the senderEmail parameter, allowing remote exploitation.
• Affected Versions: UTT 1200GW/1250GW up to specific versions disclosed.
• Severity: 9.0 (HIGH)
• More info: [NVD – CVE-2025-10953](https://nvd.nist.gov/vuln/detail/CVE-2025-10953)

──────────────────────────────
Additional Context and Cyber Alerts:
• Several advisories also mention active exploitation campaigns—ranging from attacks on Cisco ASA firewalls (with evidence of nation-state involvement) to extensive data breaches affecting nursery chains and other organizations.
• Keep an eye on industry sources such as the [Cisco Security Advisories](https://tools.cisco.com/security/center/publicationListing.x), [CISA alerts](https://www.cisa.gov/), and trusted cybersecurity news outlets for guidance and patch updates.

──────────────────────────────
Final Thoughts
Organizations using any affected products should act immediately to:
 – Review vendor advisories and update to patched versions.
 – Apply mitigations as recommended.
 – Monitor network traffic and logs for any signs of exploit activity.

For further reading on these issues and additional cybersecurity insights, consider exploring resources like the [National Vulnerability Database](https://nvd.nist.gov/), [Cisco Security Center](https://tools.cisco.com/security/center/publicationListing.x), and dedicated WordPress security blogs.

By staying informed and applying the necessary updates, you can significantly reduce the risk of exploitation from these vulnerabilities.

Share This Post:

Facebook
Twitter
LinkedIn
Pinterest
Email
WhatsApp
Picture of Adam Cooke
Adam Cooke
As the Operations and Compliance Manager, Adam oversees all aspects of the business, ensuring operational efficiency and regulatory compliance. Committed to high standards, he ensures everyone is heard and supported. With a strong background in the railway industry, Adam values rigorous standards and safety. Outside of work, he enjoys dog walking, gardening, and exploring new places and cuisines.
What our clients say:
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue
Subscribe to our newsletter

Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.

Promotion nulla vitae elit libero a pharetra augue