Cybersecurity Alert: Major Vulnerabilities Exposed Today

Daily Cybersecurity Round-Up

Welcome to today’s cybersecurity roundup, where we break down the latest vulnerabilities and threats making headlines. It’s been a busy day with a variety of security gaps and emerging attack vectors, from WordPress themes to Microsoft AI agents. Let’s dive into the details and have a chat about what this might mean for your organisation. And remember, if compliance and robust security processes aren’t already part of your routine, Synergos Consultancy is here to help you stay ahead.

WordPress Theme Vulnerabilities: Workreap Under the Microscope

CVE-2025-5012: Arbitrary File Upload Weakness

A vulnerability in the Workreap plugin, used alongside the Workreap – Freelance Marketplace WordPress theme, has raised alarms. Versions up to and including 3.3.2 are affected by an issue in the workreap_temp_upload_to_media function, where missing file type validation means that authenticated users (Subscriber-level access and above) could potentially upload arbitrary files. The danger here lies in the possibility of remote code execution if an attacker leverages this flaw effectively.

CVE-2025-4973: Authentication Bypass Concerns

Another critical issue targets the Workreap plugin. In versions up to and including 3.3.1, insufficient user identity verification during email-based account confirmation could allow unauthenticated attackers to log in as registered users – possibly even gaining administrative control if they know a user’s email address. This is a stark reminder to WordPress site administrators of the need to keep themes and plugins updated and secure.

AI and Email: New Frontiers in Vulnerability

In a first-of-its-kind discovery, security researchers have identified a zero-click vulnerability in Microsoft 365 Copilot’s AI agent. Without any user intervention, an attacker could potentially exploit this flaw to steal data via an email-based attack vector. The silver lining? Microsoft has promptly fixed the vulnerability, though it highlights the growing need to remain vigilant as more AI-driven technologies enter the mainstream.

Critical Vulnerabilities in the Software Ecosystem

CryptX for Perl: Unicode and Integer Overflow Issues

Two vulnerabilities in CryptX for Perl have been reported. CVE-2025-40912 details a malformed unicode injection issue due to a vulnerable version of the tomcrypt library, while CVE-2025-40914 involves an integer overflow problem in CryptX, stemming from an embedded version of libtommath susceptible to overflow (related to CVE-2023-36328). Both flaws carry a high severity rating, reminding us that dependencies can be a weak link in otherwise robust systems.

VirtueMart CSRF File Upload Bypass

Another high-severity issue, identified as CVE-2025-6001, involves a Cross-Site Request Forgery (CSRF) vulnerability in VirtueMart’s product image upload function. This flaw bypasses the normal CSRF protection token, allowing attackers to potentially upload files without restriction. Retailers and online marketplaces should be quick to assess and mitigate this risk.

Drupal Commerce Redirect Vulnerabilities

Security researchers have identified two vulnerabilities in Drupal Commerce: one affecting the Alphabank Redirect (CVE-2025-48446) and another impacting the Eurobank Redirect (CVE-2025-48445). Both involve incorrect authorisation, which could lead to unauthorised use of functionality – an issue that underlines the importance of diligent access control management.

PostgreSQL JDBC Driver Mishap

For those who depend on PostgreSQL, a vulnerability (CVE-2025-49146) in the pgjdbc driver could allow man-in-the-middle attackers to intercept what should be a secure connection. When the driver is configured with channel binding set to “required”, it may yet accept connections using less secure authentication methods. Users should upgrade to version 42.7.7 to benefit from the fix.

Microsoft Office and Outlook under Pressure

Several vulnerabilities in Microsoft Office (tracked as CVE-2025-47162, CVE-2025-47953, CVE-2025-47164, and CVE-2025-47167) have come to light, all with a CVSS score of 8.4. These affect multiple platforms including Windows, Mac, and Android. Meanwhile, Morphisec Threat Labs reported two severe remote code execution (RCE) flaws in Microsoft Outlook (CVE-2025-47171 and CVE-2025-47176). Keeping software patched is paramount to mitigate these risks.

Nomad Prefix-Based ACL and Additional Microsoft Vulnerability

Administrators using Nomad will want to note the prefix-based ACL policy vulnerability (CVE-2025-4922) that could lead to improper rule application. In a similar vein, another cautionary tale comes with CVE-2025-32711, where a command injection vulnerability in Microsoft 365 Copilot could allow unauthorised data disclosure. Vigilance in patching remains critical.

Coordinated Attacks in the Wild

Finally, a coordinated assault has been observed with over 295 malicious IP addresses launching brute-force attacks against the Apache Tomcat Manager. These attacks, which have even led to exposed camera feeds, underscore the persistent threat of brute-force tactics in disrupting services and leaking sensitive data.

Today’s vulnerabilities and active attacks serve as a strong reminder that cybersecurity is ever-evolving. Whether it’s applying timely patches to your WordPress themes, securing software libraries, or keeping an eye on zero-click exploits in emerging AI systems, staying informed is key. With the rapidly changing threat landscape, consult experts like those at Synergos Consultancy for tailored advice and compliance support to ensure your systems are as resilient as possible.

Stay alert, keep your software updated, and let’s continue to learn from each new development in the cybersecurity arena!