Cybersecurity Alert: Major WordPress Vulnerabilities Exposed

Daily Cybersecurity Briefing: A Mixed Bag of Vulnerabilities and On-Chain Developments

Good day, cybersecurity enthusiasts! Today’s update is bubbling with multiple vulnerabilities affecting WordPress plugins, a series of stored XSS issues across the 3DEXPERIENCE suite, and even a glance at on-chain trends where Bitcoin emerges victorious over Ethereum and Binance networks. Grab your cuppa as we dive into the technical details in plain language.

WordPress Vulnerability Alerts

Offsprout Page Builder Privilege Escalation (CVE-2025-4672)

The Offsprout Page Builder plugin is facing some serious criticism. In versions 2.2.1 through 2.15.2, an improperly authorised permission_callback() function allows authenticated attackers (those with at least Contributor-level access) to meddle with user meta. This means they can adjust their own privileges – even bumping themselves up to an administrator. With a severity score of 8.8, it’s a high-risk issue that website owners should address promptly.

Profitori Plugin Privilege Escalation (CVE-2025-4631)

A similar narrative unfolds with the Profitori plugin (versions 2.0.6.0 to 2.1.1.3). Here, a missing capability check on the stocktend_object endpoint permits unauthenticated attackers to exploit the save_object_as_user() function. This leads to the dangerous possibility of arbitrary string injections into the wp_capabilities meta field, potentially elevating any user to an administrator – an almost critical 9.8 severity issue.

PSW Front-end Login & Registration Vulnerability (CVE-2025-4607)

The PSW plugin has an Achilles’ heel in its low-entropy OTP mechanism, specifically through the customer_registration() function. Unauthenticated attackers can exploit the weak forget() function, enabling them to reset a password for (and thus take over) any account, including admin accounts. The risk here is equally critical, scoring 9.8 on the severity scale.

WP-GeoMeta Privilege Escalation (CVE-2025-4103)

Even users with just Subscriber-level access should beware. The WP-GeoMeta plugin (versions 0.3.4 to 0.3.5) lacks the necessary capability check on the wp_ajax_wpgm_start_geojson_import() function. This oversight could let authenticated attackers escalate their privileges to that of an administrator, which comes in with a high risk at a score of 8.8.

3DEXPERIENCE Stored XSS Vulnerabilities

A series of stored Cross-site Scripting, or XSS, vulnerabilities have been identified across various aspects of the 3DEXPERIENCE platform:

Collaborative Industry Innovator and Product Manager Vulnerabilities

Three separate CVEs – CVE-2025-4991 (3DEXPERIENCE Collaborative Industry Innovator), CVE-2025-4990 (3DEXPERIENCE Product Manager – Change Governance), and CVE-2025-4989 (Product Manager 3DEXPERIENCE for Requirements) – indicate that arbitrary script code can be executed in a user’s session via poorly secured stored XSS. All are considered to be high risk with a severity of 8.7.

Other XSS Vulnerabilities within the 3DEXPERIENCE Ecosystem

For those following the intricacies of 3D design and project management, additional issues have surfaced. CVE-2025-4988 affecting Results Analytics, CVE-2025-4986 in Model Definition, and CVE-2025-4985 targeting Risk Management (Project Portfolio Manager) all allow an attacker to execute scripts in the user’s browser, maintaining the same dangerous severity of 8.7. Further, vulnerabilities identified as CVE-2025-4992 (Service Process Engineer), CVE-2025-4984 (City Discover in City Referential Manager), CVE-2025-4983 (City Referential Manager), and CVE-2025-0602 (SolidWorks Collaborative Industry Innovator) confirm the broad scope of exposure across the platform.

Other Noteworthy Developments

Devolutions Server Privilege Escalation (CVE-2025-4433)

An improper access control in user group management within Devolutions Server (up to version 2025.1.7.0) presents a high-risk situation. Here, non-administrative users with overlapping “User Management” and “User Group Management” permissions could escalate their access, jeopardising the overall security of the environment with an 8.8 severity rating.

On-Chain Attack Trends: Bitcoin Outshines Ethereum and Binance

In an intriguing twist from the world of blockchain, recent on-chain cyber attacks seem to primarily target Ethereum and Binance Smart Chain networks, while Bitcoin enjoys a relative reprieve. This notable trend reinforces the importance of robust security measures across various digital ecosystems.

UK Cybersecurity Hiring Surge

As cyberattacks continue to rise, UK retailers and other organisations are ramping up their recruitment of ethical hackers. This hiring spree reflects the urgent need for skilled professionals who can help shore up defences against these evolving threats.

It’s worth noting that in a rapidly changing environment, companies like Synergos Consultancy are on hand to help businesses navigate these challenges. Specialising in ISO certifications, Health & Safety Management, and many more compliance areas, Synergos offers tailored support designed to keep you secure and compliant in today’s digital landscape.

This daily roundup underlines how imperative it is to monitor security advisories and address vulnerabilities as soon as possible. Whether you’re managing WordPress sites, utilising collaborative industry tools, or navigating blockchain spaces, staying informed is your best defence. Here’s to a safer digital day ahead!